Data Center Cisco FWSM ACE Service Module Design
- Slides: 162
Data. Center Cisco FWSM / ACE Service Module Design & Deploy Guide Version 1. 0 2007 -07 -12 Cisco Systems Korea Solution S. E Team S. E 최 우 형 (whchoi@cisco. com) 1
I. FWSM / ACE Design I II. 초간단 ACE Loadbalancing Test 방법 – FWSM Routed Mode / ACE Transparent Mode III. FWSM / ACE Design II - FWSM Transparent Mode / ACE Routed Mode IV. FWSM / ACE Design III - FWSM Multi Pair Bridged Mode / ACE Routed Mode V. ACE DSR VI. FWSM / ACE Design IV - ACE기반의 FWSM 10 G FLB Design Agenda Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
FWSM/ACE Design I FWSM Routed Mode & ACE Transparent Mode 3
FWSM Routed & ACE Bridge 172. 16. 2. 1 F 1/48, V 2 2. 25 4 1. 25 4 OSPF Area 0 172. 16. 1. 1 F 1/48, V 1 172. 16. 3. 254/1 22. 22. 25 V 22 4 Out: 22. 22. 1 In: 21. 21. 1 V 21 BVI 21. 21. 21 V 20 Trunk V 20, 21, 22, 99, 198, 199 V 22 V 21 VIP 21. 21. 21 RSTP F 9/1 V 20 F 9/1 B Server A 21. 21. 10 1 Server B 21. 21. 10 2 4
FWSM Routed & ACE Transparent Design Key Point 2. 254 172. 16. 2. 1 F 1/48, V 2 1 Server VIP의 보안성 강화 1. 254 -FWSM Static NAT IP vs ACE VIP와 Mapping을 통한 보안 강화 172. 16. 1. 1 F 1/48, V 1 OSPF Area 0 2 Design의 유연성 강화 172. 16. 3. 254/1 22. 22. 254 Out: 22. 22. 1 In: 21. 21. 1 V 22 Trunk V 20, 21, 22, 99, 198, 1 99 V 21 V 22 V 21 BVI 21. 21. 2 1 Route d TP V 20 F 9/1 VIP 21. 21. 21 RSTP V 20 F 9/1 B Server A 21. 21. 11 Server B 21. 21. 12 -FWSM의 Same Security interface 기능을 통해, 다양한 서브넷 구성 가능 -ACE의 경우 기본 5개의 Virtual Context가 제공되므로, FWSM의 Virtual context가 부 족할 경우, Same Security 기 능을 통해 대체 효과 3 Firewall을 기존에 사용할 경우 유리 - 기 사용중인 Firewall에 Routed 모드로 사용중이거나, NAT를 사용 중일 경우 Migration 에 유리 5
FWSM Routed & ACE Transparent Config Sup 720 Supervisor 기본 Config Sup 720 구성 ACE 구성 svclc multiple-vlan-interfaces svclc module 6 vlan-group 3, 4 svclc vlan-group 3 20 -22 ACE, FWSM에서 사용되고 있는 Inside, Outside, Client, Server Vlan 설정 svclc vlan-group 4 99, 198, 199 ACE Failover Tracking Vlan을 위한 Vlan 99, FWSM Failover, Stateful FO를 위한 Vlan 198, 199 설정 FWSM 구성 firewall multiple-vlan-interfaces firewall module 7 vlan-group 3, 4 6
FWSM Routed & ACE Transparent Config Sup 720 구성 Cat 6500 -A STP 구성 22. 22. 254 Out: 22. 22. 1 V 22 Trunk V 20, 21, 22, 99, 198, 199 V 22 In: 21. 21. 1 V 21 BVI 21. 21. 2 1 V 20 VIP 21. 21. 21 RSTP V 20 spanning-tree mode rapid-pvst spanning-tree vlan 20 root primary Spanning-tree vlan 21 root primary Vlan 20 에 대해 강제로 Primary 지정 Cat 6500 -B STP 구성 spanning-tree mode rapid-pvst spanning-tree vlan 20 root B secondary Spanning-tree vlan 21 root Tip !!! secondary Vlan 20 에 대해 강제로 Service Module을 Transparent Mode로 동작 시킬 경우에는 빠른 우회경로 확보가 필수이다. Secondary 지정 따라서 Service Module이 BVI로 동작하는 Layer 2 구간에는 가장 빠른 Take Over를 위해 RSTP를 연동하여, 빠른 우회경로를 확보하는 것이 좋다. 또한 STP의 잦은 변경을 방지하기 위해 Active Cat 6500 은 항상 Root가 되도록 지정하는 것 7 F 9/1
FWSM Routed & ACE Bridge Config Sup 720 HSRP 구성 Cat 6500 -A 22. 22. 254 Out: 22. 22. 1 V 22 Trunk V 20, 21, 22, 99, 198, 199 V 22 In: 21. 21. 1 V 21 BVI 21. 21. 2 1 V 20 F 9/1 VIP 21. 21. 21 RSTP F 9/1 B Tip !!! V 20 interface Vlan 22 ip address 22. 22. 253 255. 0 standby 3 ip 22. 22. 254 standby 3 priority 200 standby 3 preempt Cat 6500 -B interface Vlan 22 ip address 22. 22. 253 255. 0 standby 3 ip 22. 22. 254 standby 3 preempt MSFC와 FWSM 사이의 Internal HSRP 구성이므로, 물리적인 이슈로 인한 HSRP가 흔들 릴 경우는 없다. 따라서 FWSM 모듈, Supervisor Engine 자체가 장애가 있지 않는 한 HSRP Interface Primary는 정해져 있다. 이 경우에는 되도록 Preempt를 지정해 두도록 한다. 8
FWSM Routed & ACE Transparent Config FWSM Virtual Context 구성 interface Vlan 11 description =TP Mode - Inside= ! interface Vlan 12 description =TP Mode - Outside= ! interface Vlan 21 description =Routed Mode - Inside= ! interface Vlan 22 description =Routed Mode - Outside= ! interface Vlan 101 description =Admin - Inside= ! interface Vlan 102 description =Admin - Outside= ! interface Vlan 198 description LAN Failover Interface ! interface Vlan 199 description STATE Failover Interface admin-context admin allocate-interface Vlan 101 allocate-interface Vlan 102 config-url disk: /admin. cfg ! Admin VF(Virtual Firewall)을 위한 Interface 할당 Admin VF를 위한 Config 파일 저장 위치 지 정 context A-Group allocate-interface Vlan 11 allocate-interface Vlan 12 config-url disk: /A-group. cfg ! A-Group VF를 위한 Interface 할당 A-Group VF를 위한 Config 파일 저장 위치 지 정 context B-Group allocate-interface Vlan 21 allocate-interface Vlan 22 config-url disk: /B-group ! B-Group VF를 위한 Interface 할당 B-Group VF를 위한 Config 파일 저장 위치 지 정 9
FWSM Routed & ACE Transparent Config FWSM F/O 구성 failover lan unit primary FWSM Unit의 Primary or Secondary를 선언 failover lan interface faillink Vlan 198 Failover Interface Vlan 198 선언 failover polltime unit msec 500 holdtime 3 Polling Time, Hold Time 선언 failover replication http FO 발생시 HTTP 복제 선언 failover link statelink Vlan 199 Stateful Failover Interface 선언 failover interface ip faillink 192. 168. 98. 1 255. 0 standby 192. 168. 98. 2 FO Interface IP address 선언 failover interface ip statelink 192. 168. 99. 1 255. 0 standby 192. 168. 99. 2 Stateful FO Interface IP Address 선언 10
FWSM Routed & ACE Transparent Config FWSM Basic Config 22. 22. 254 Out: 22. 22. 1 V 22 In: 21. 21. 1 V 21 BVI 21. 21. 21 V 20 F 9/1 interface Vlan 21 nameif inside security-level 100 ip address 21. 21. 1 255. 0 ! Inside Interface 구성 interface Vlan 22 nameif outside security-level 0 ip address 22. 22. 1 255. 0 ! Outside Interface 구성 access-list permit extended permit ip any ! ACL Rule 설정 access-group permit in interface inside access-group permit in interface outside ! Interface별 ACL 할당 route outside 0. 0 22. 22. 254 1 ! Outside routing 설정 icmp permit any inside icmp permit any outside 11
FWSM Routed & ACE Transparent Config ACE Virtual Partition 구성 context A_Group allocate-interface vlan 10 -11 ! A_Group Context 선언 및 Interface Vlan 10, 11 할당 context B_Group allocate-interface vlan 20 -21 ! A_Group Context 선언 및 Interface Vlan 10, 11 할당 ft interface vlan 99 ip address 99. 99. 1 255. 0 peer ip address 99. 99. 2 255. 0 no shutdown ACE Failover Interface 지정 ft peer 1 heartbeat interval 100 heartbeat count 10 ft-interface vlan 99 ft Peer 간 heartbeat Interval과 counte 선언 12
FWSM Routed & ACE Transparent Config ACE FT - Failover Group 구성 ft group 1 peer 1 no preempt priority 200 associate-context Admin inservice Ft group 별 priority 지정과 Context 선언 ft group 2 peer 1 no preempt priority 200 associate-context A_Group inservice Tip !!! ft group #1 ft group #2 ft group #3 ft group 3 peer 1 no preempt priority 200 associate-context B_Group inservice ft group별로 해당 Priority를 차등화 하여 구성할 경우 ACE Module 을 Loadsharing 하는 효 과를 누릴 수 있으며, 디자인에 따라 Active/Active, Active/Standby 형태로 구성이 가능하다. 단, FWSM의 Active/Active 형태와는 다른 방식으로 동일 Context간 Session을 공유하여 Traffic이 동시에 흐르는 형태는 아니다. 13
FWSM Routed & ACE Transparent Config ACE FT - Failover Group 구성 ft interface vlan 99 ip address 99. 99. 1 255. 0 peer ip address 99. 99. 2 255. 0 no shutdown ft peer 1 heartbeat interval 100 heartbeat count 10 ft-interface vlan 99 Ft interfac e Vlan 99 heartbeat interval -Millisecond 단위 Heartbeat count 10 -Hearbeat count 숫자 ft group #1 ft group #2 ft group #3 위의 예제에서는 Heartbeat interval * Heartbeat count = 1 Sec 가 된다. 14
FWSM Routed & ACE Transparent Config ACE Basic Config – Real. Server 구성 ACE Real. Server rserver host Server 11 ip address 21. 21. 11 inservice rserver host Server 12 ip address 21. 21. 12 inservice 15
FWSM Routed & ACE Transparent Config ACE Basic Config – Server. Farm 구성 ACE Real. Server. Far m serverfarm host Web-Server rserver Server 11 inservice rserver Server 12 inservice 16
FWSM Routed & ACE Transparent Config ACE Basic Config – SLB Policy Map 구성 LB Policy map ACE Real. Server. Far m policy-map type loadbalance firstmatch SLB class-default serverfarm Web-Server 17
FWSM Routed & ACE Transparent Config ACE Basic Config – Server VIP 구성 Class-map LB Policy map ACE Real. Server. Far m policy-map type loadbalance first-match SLB class-default serverfarm Web-Server class-map match-all Web-Server-VIP 2 match virtual-address 21. 21. 21 tcp eq www 18
FWSM Routed & ACE Transparent Config ACE Basic Config – L 3/L 4 Policy Map 구성 Class-map L 3/L 4 Policy map LB Policy map ACE Real. Server. Far m policy-map type loadbalance first-match SLB class-default serverfarm Web-Server policy-map multi-match-www class Web-Server-VIP loadbalance vip inservice loadbalance policy SLB class-map match-all Web-Server-VIP match virtual-address 21. 21. 21 tcp eq www 19
FWSM Routed & ACE Transparent Config ACE Basic Config – L 3/L 4 Policy Map 구성 Class-map L 3/L 4 Policy map LB Policy map Interface ACL & Service Policy 적용 ACE Real. Server. Far m policy-map type loadbalance first-match SLB class-default serverfarm Web-Server policy-map multi-match-www class Web-Server-VIP loadbalance vip inservice loadbalance policy SLB class-map match-all Web-Server-VIP 2 match virtual-address 21. 21. 21 tcp eq www access-list anyone extended permit ip any interface vlan 21 access-group input anyone service-policy input match-www 20
FWSM Routed & ACE Transparent Config ACE Basic Config – L 7 Real. Server 구성 ACE Real. Serv er rserver host Server 11 ip address 21. 21. 11 inservice rserver host Server 13 ip address 21. 21. 13 inservice rserver host Server 12 ip address 21. 21. 12 inservice rserver host Server 14 ip address 21. 21. 14 inservice 21
FWSM Routed & ACE Transparent Config ACE Basic Config – L 7 Server. Farm 구성 ACE Real. Serv er serverfarm host Web-Server rserver Server 11 inservice rserver Server 12 inservice serverfarm host URL-Server rserver Server 13 inservice rserver Server 14 inservice 22
FWSM Routed & ACE Transparent Config ACE Basic Config – L 7 SLB Policy Map 구성 Class-map L 3/L 4 Policy map LB Policy map Class-map ACE Real. Serv er policy-map type loadbalance first-match SLB predictor roundrobin class-default serverfarm Web-Server class-map match-all Web-Server-VIP 2 match virtual-address 21. 21. 21 tcp eq www policy-map multi-match-www class Web-Server-VIP loadbalance vip inservice loadbalance policy SLB class-map type http loadbalance match-any URL_contents 2 match http url. *. php 23
FWSM Routed & ACE Transparent Config ACE Basic Config – L 7 SLB Policy Map 구성 Class-map L 3/L 4 Policy map LB Policy Class-map LB Policy map ACE Real. Serv er policy-map type loadbalance first-match SLB predictor roundrobin class-default serverfarm Web-Server class URL_contenst serverfarm URL-Server class-map match-all Web-Server-VIP 2 match virtual-address 21. 21. 21 tcp eq www policy-map multi-match-www class Web-Server-VIP loadbalance vip inservice loadbalance policy SLB class-map type http loadbalance match-any URL_contents 2 match http url. *. php 24
FWSM Routed & ACE Transparent Config ACE Basic Config – Health Monitoring(Probe) #1 ACE Real. Serv er Probe-A Probe-B Real. Serv er probe http html-probe request method get url /index. html expect status 200 rserver host Server 12 ip address 21. 21. 12 inservice probe icmp-probe serverfarm host Web-Server probe icmp-probe rserver Server 11 inservice rserver Server 12 inservice rserver host Server 11 ip address 21. 21. 11 probe html-probe inservice 25
FWSM Routed & ACE Transparent Config ACE Basic Config – Health Monitoring(Probe) #2 rserver host Server 11 ip address 21. 21. 11 probe html-probe inservice Serverfar m Web. Server rserver host Server 12 ip address 21. 21. 12 inservice serverfarm host Web-Server probe icmp-probe rserver Server 11 inservice rserver Server 12 inservice rserver S 11 Tip !!! Icmp probe rserver S 12 HTTP probe 구성 예제와 같이 real server S 11 에 별도의 HTTP Probe를 지정하고, real server S 11 이 속하게 되는 Serverfam Web-Server에 ICMP-Probe를 지정하게 되 는 경우에는, rserver S 11 은 icmp-probe, http-probe 어 느 하나라도 Fail이 발생할 경우에 Server의 Service에 서 제거 된다. 따라서 매우 중요한 Real Service는 두개 이상의 Probe 를 지정해 두는 것도 하나의 Tip 이 될 수 있다. 26
FWSM Routed & ACE Transparent Config ACE Basic Config – Health Monitoring(Probe) #3 CE/B_Group# sh probe : html-probe type : HTTP, state : ACTIVE -----------------------port : 80 address : 0. 0 addr type : interval : 120 pass intvl : 300 pass count : 3 fail count: 3 recv timeout: 10 ----------- probe results ----------probe association probed-address probes failed passed health ----------+----------+-----+------rserver : Server 11 21. 21. 11 22 3 19 SUCCESS probe : icmp-probe type : ICMP, state : ACTIVE -----------------------port : 0 address : 0. 0 addr type : interval : 120 pass intvl : 300 pass count : 3 fail count: 3 recv timeout: 10 ----------- probe results ----------probe association probed-address probes failed passed health ----------+----------+-----+------serverfarm : Web-Server real : Server 11[0] 21. 21. 11 302 199 103 SUCCESS real : Server 12[0] 21. 21. 12 302 0 302 SUCCESS 27
FWSM Routed & ACE Transparent Config ACE Basic Config – Health Monitoring(Probe) #4 probe <probe-type> <probename> description < description > port <port-number> interval <sec> faildetect <retry-count> passdetect interval <sec> passdetect count <number> receive <receive-timeout> 1 probe <probe-type> <probename> dns, echo, finger, ftp, https, icmp , imap, pop, radius, probe, scripted, smtp , tcp, telnet, udp 다양한 Protocol 별 Probe 기능과 Script 기반의 Probe 기능을 지원 2 하고 port <port-number> 있음. TCP/UDP 의 특정 서비스 포트에 대해 Probe를 지정할 수 있음 28
FWSM Routed & ACE Transparent Config ACE Basic Config – Health Monitoring(Probe) #5 probe <probe-type> <probename> description < description > port <port-number> interval <sec> faildetect <retry-count> passdetect interval <sec> passdetect count <number> receive <receive-timeout> probe icmp-probe description ICMP-Probe interval 2 faildetect 10 passdetect interval 2 passdetect count 5 receive 1 Tip !!! 3 Interval은 Probe를 주기적으로 Check 하는 시간을 의미한다. 예제의 경우에는 2초에 한번씩 Check. faildetect Count는 Probe Check 시 특 정 Count에 Fail이 Count 되면 Server, real Server를 Fail 로 간주하게 된다. 예제의 경우에는 10번의 Fail이 Count 되면, Fail로 처리하겠다는 의미 Receive ACE가 Probe 를 해당 Server에 보내고 기다리는 시간을 의미한다. 예제에서는 1초간 기다리겠다는 의미 이다. 구성 예제의 결과를 보면 결국 Fail 되는 총시간은 interval * faildetect * receive 가 된다. 따라서 위의 세개의 값을 세밀하게 계산하여, Fail Server를 선택하는 것이 매우 중요하다. 29
FWSM Routed & ACE Transparent Config ACE Basic Config – Health Monitoring(Probe) #6 probe <probe-type> <probename> description < description > port <port-number> interval <sec> faildetect <retry-count> passdetect interval <sec> passdetect count <number> receive <receive-timeout> probe icmp-probe description ICMP-Probe interval 2 faildetect 10 passdetect interval 2 passdetect count 5 receive 1 Tip !!! 4 passdetect interval Server 가 Fail 된 후 복구 되기 위해, 주 기적으로 다시 Probe를 보내는 주기를 의미한다. 예제에서는 2초에 한번씩 Probe를 보 내게 된다. Passdetect count Server 가 Fail 된 후 복구되기 위한 성 공적인 Probe Count를 의미한다. 예제에서는 5개의 성공 Probe 결과를 받았을 때 서비스를 재개 하겠다는 의 미 구성 예제의 결과를 보면 결국 Server가 Fail된 후 정상 복구 된다고 하더라도, intervla * count 가 되므로, 30
FWSM Routed & ACE Transparent Config ACE Basic Config – Health Monitoring(Probe) #7 ACE/B_Group# sh probe icmp-probe : icmp-probe type : ICMP, state : ACTIVE -----------------------port : 0 address : 0. 0 addr type : interval : 2 pass intvl : 2 pass count : 5 fail count: 10 recv timeout: 1 ----------- probe results ----------probe association probed-address probes failed passed health ----------+----------+-----+------rserver : Server 11 21. 21. 11 269 199 70 SUCCESS rserver : Server 12 21. 21. 12 269 0 269 SUCCESS serverfarm : Web-Server real : Server 11[0] 21. 21. 11 269 199 70 SUCCESS real : Server 12[0] 21. 21. 12 269 0 269 SUCCESS 31
FWSM Routed & ACE Transparent Config ACE Basic Config – Health Monitoring(Probe) #8 ACE/B_Group# sh probe icmp-probe detail probe : icmp-probe type : ICMP, state : ACTIVE description : ICMP-Probe -----------------------port : 0 address : 0. 0 interval : 2 pass intvl : 2 fail count: 10 recv timeout: 1 addr type : pass count : 5 ----------- probe results ----------probe association probed-address probes failed passed health ----------+----------+-----+------rserver : Server 11 21. 21. 11 259 199 60 SUCCESS Socket state : CLOSED No. Passed states : 1 No. Failed states : 1 No. Probes skipped : 0 Last status code : 0 No. Out of Sockets : 0 No. Internal error: 0 Last disconnect err : Last probe time : Fri Jul 6 14: 28: 08 2007 Last fail time : Fri Jul 6 14: 19: 43 2007 Last active time : Fri Jul 6 14: 26: 24 2007 이하 생략…. 32
FWSM Routed & ACE Transparent Config ACE Basic Config – Transparent 구성 ACE FWSM V 2 1 access-list bpdu ethertype permit bpdu STP Loop 방지를 위해 BPDU를 통과 시키 도록 구성 interface vlan 21 bridge-group 1 access-group input bpdu access-group input anyone service-policy input p-mgmt service-policy input match-www no shutdown Bridg e BVI Real. Server V 2 0 Real. Server. Far m interface vlan 20 bridge-group 1 access-group input bpdu access-group input anyone no shutdown interface bvi 1 ip address 21. 21. 254 255. 0 peer ip address 21. 21. 253 255. 0 no shutdown 33
FWSM Routed & ACE Transparent Config ACE Basic Config – Management Policy 구성 ACE Class-map L 3/L 4 Policy map Real. Server. Far m class-map type management match-any c-mgmt 2 match protocol icmp any 3 match protocol telnet any 4 match protocol ssh any interface vlan 21 description B_Group_Client_Vlan service-policy input p-mgmt policy-map type management first-match p-mgmt class c-mgmt permit 34
FWSM Routed & ACE Transparent Config ACE Monitoring – Basic ACE Basic Review FWSM DC_BB-A#sh asic-version slot 6 Module in slot 6 has 2 type(s) of ASICs ASIC Name Count Version HYPERION 1 (5. 0) SSA 1 (8. 0) DC_BB-A#sh asic-version slot 7 Module in slot 7 has 2 type(s) of ASICs ASIC Name Count Version PINNACLE 2 (4. 2) MEDUSA 1 (2. 0) ACE는 기존 FWSM, CSM과 같이 Multi Gigabit Etherchannel을 쓰는 방식이 아니라, single 10 G Interface가 접속되어 있는 형태이다. DC_BB-A#sh interfaces ten. Gigabit. Ethernet 6/1 status Port Name Status Vlan Duplex Speed Type Te 6/1 connected trunk full 10 G Multi. Service Module DC_BB-A#sh interfaces ten. Gigabit. Ethernet 6/1 counters Port In. Octets In. Ucast. Pkts In. Mcast. Pkts In. Bcast. Pkts Te 6/1 3900088 35250 18058 450 Port Out. Octets Out. Ucast. Pkts Out. Mcast. Pkts Out. Bcast. Pkts Te 6/1 5555729 79198 2240 1640 35
FWSM Routed & ACE Transparent Config ACE Monitoring – svclc DC_BB-A#show svclc vlan-group Display vlan-groups created by both ACE module and FWSM commands Group Created by vlans ---------1 ACE 100 -102 2 ACE 10 -12 3 ACE 20 -22 4 ACE 99, 198 -199 DC_BB-A#show svclc module Module Vlan-groups ----------06 1, 2, 3, 4 DC_BB-A#show interfaces ten. Gigabit. Ethernet 6/1 trunk Port Mode Encapsulation Status Native vlan Te 6/1 on 802. 1 q trunking 1 Port Vlans allowed on trunk Te 6/1 10 -12, 20 -22, 99 -102, 198 -199 Port Vlans allowed and active in management domain Te 6/1 10 -12, 20 -22, 99 -102, 198 -199 Port Vlans in spanning tree forwarding state and not pruned Te 6/1 10 -12, 20 -22, 99 -102, 198 -199 36
FWSM Routed & ACE Transparent Config ACE Monitoring – ARP Table ACE/B_Group# sh arp Context B_Group ================================== IP ADDRESS MAC-ADDRESS Interface Type Encap Next. Arp(s) Status ================================== 21. 21. 11 00. 10. c 6. c 0. 01. 55 vlan 20 RSERVER 6 132 sec up 21. 21. 12 00. 0 d. 60. b 1. 20 vlan 20 RSERVER 5 132 sec up 21. 21. 253 00. 19. 06. 28. 10. 61 vlan 21 LEARNED 10 12681 sec up 21. 21. 1 00. 0 f. 23. be. fe. 00 vlan 21 GATEWAY 7 132 sec up 21. 21. 21 00. 0 b. fc. fe. 1 b. 03 vlan 21 VSERVER LOCAL _ up 21. 21. 254 00. 19. 06. 27. d 9. 01 bvi 1 INTERFACE LOCAL _ up 21. 21. 13 00. 00 bvi 1 RSERVER dn 21. 21. 14 00. 00 bvi 1 RSERVER dn ================================== 37
FWSM Routed & ACE Transparent Config ACE Monitoring – Routing Table ACE/B_Group# sh ip route Routing Table for Context B_Group (Route. Id 2) Codes: H - host, I - interface S - static, N - nat A - need arp resolve, E - ecmp Destination Gateway Interface Flags ------------------------------------0. 0 21. 21. 1 vlan 21 S 21. 21. 0/24 0. 0 bvi 1 IA Total route entries = 2 38
FWSM Routed & ACE Transparent Config ACE Monitoring – Real Server Monitoring == Real Server 접속 성공 == ACE/B_Group# sh rserver Server 11 rserver : Server 11, type: HOST state : OPERATIONAL ---------------------connections-----real weight state current total ---+-----------+------------+-----------serverfarm: Web-Server 21. 21. 11: 0 8 OPERATIONAL 1 8 == Real Server 접속 불가 == ACE/B_Group# sh rserver Server 13 rserver : Server 13, type: HOST state : ARP_FAILED ---------------------connections-----real weight state current total ---+-----------+------------+-----------serverfarm: URL-Server 21. 21. 13: 0 8 ARP_FAILED 0 39
FWSM Routed & ACE Transparent Config ACE Monitoring – Service Policy Monitoring == Service Policy 현황 == ACE/B_Group# sh service-policy matchwww detail Status : ACTIVE Description: --------------------Interface: vlan 21 service-policy: match-www class: Web-Server-VIP Address: Port: 21. 21. 21 eq 80 loadbalance: L 7 loadbalance policy: SLB VIP Route Metric : 77 VIP Route Advertise : DISABLED VIP ICMP Reply : DISABLED VIP State: INSERVICE curr conns : 1 , hit count : 27 dropped conns : 0 client pkt count : 26 , client byte count: 1040 server pkt count : 0 , server byte L 7 Loadbalance policy : SLB class/match : URL_contents LB action : serverfarm: URL-Server hit count : 0 dropped conns : 0 class/match : class-default LB action : serverfarm: Web-Server hit count : 0 dropped conns : 0 40
FWSM Routed & ACE Transparent Failover Scenario 1 172. 16. 2. 1 F 1/48, V 2 22. 22. 25 V 22 4 Out: 22. 22. 1 In: 21. 21. 1 V 21 BVI 21. 21. 21 V 20 F 9/1 Server A 21. 21. 10 1 2. 25 4 1. 25 4 Fast OSPF Area 0 172. 16. 3. 254/1 Trunk V 20, 21, 22, 99, 198, 199 172. 16. 1. 1 F 1/48, V 1 4 V 22 2 2 RSTP B 1 V 20 F 9/1 Server B 21. 21. 10 2 Session State 유지 Ping Losss 1개 이내. RSTP에 의해 msec 단위 Take Over ACE Primary 장애 Session State 유지 Ping Losss 1개 이내. ACE FT 기법을 통한 msec 단 위 Take Over 구성 가능 3 V 21 VIP 21. 21. 21 Server Switch Primary Link 단 절 3 FWSM 장애 Session State 유지 Ping Losss 1개 이내. FWSM Stateful F/O 기법을 통 한 msec 단위 Take Over 구성 가능 41
FWSM Routed & ACE Transparent Failover Scenario 4 172. 16. 2. 1 F 1/48, V 2 22. 22. 25 V 22 4 Out: 22. 22. 1 In: 21. 21. 1 V 21 BVI 21. 21. 21 V 20 F 9/1 Server A 21. 21. 10 1 2. 25 4 1. 25 4 Fast OSPF Area 0 172. 16. 3. 254/1 Trunk V 20, 21, 22, 99, 198, 199 172. 16. 1. 1 F 1/48, V 1 4 V 22 3 2 RSTP B 1 Session State 유지 또는 빠른 우회 경로 확보 Ping Losss 1개 이내. Fast OSPF 구현을 통한 빠른 우회경로 확보 OSPF Tuning V 21 VIP 21. 21. 21 Primary 6500 장애 또는 Router Uplink 단절 V 20 F 9/1 ip ospf dead-interval minimal hello-multiplier 20 router os 1 timers throttle spf 300 10000 30000 timers throttle lsa all 2000 10000 Server B 21. 21. 10 2 42
초간단~~ Load balancing Test 방법 43
How to Test Scenario Test Topology & Freeware Tool kit Server. Fa rm ACE FWSM Real. Serv er Bridg e WAS 172. 16. 11. 1 1 V 2 1 BVI V 2 0 Real. Serv er VIP 21. 21 유용한 Web Stress Tool Kit MS Web Application Stress Download URL http: //www. microsoft. com/technet/archive/itsolutions/intranet/downloads/webstres. mspx? mfr=true Real. Server Test용 아파치 서버 http: //www. apmsetup. com/download. php? ct=9 44
How to Test Scenario Freeware Tool kit - WAS Web Server IP Address or Domain Name Verb , Path 지정 45
How to Test Scenario Freeware Tool kit - WAS Stress 에 대한 환경 설정 구성 46
How to Test Scenario Freeware Tool kit – 간단한 Web Server 구동 Apache 서버 및 통계를 보기 위한 My. SQL 실행 47
How to Test Scenario Realserver Stress 및 LB 확인 각 Realserver 별 Stress 현황 확인 49
How to Test Scenario Realserver Stress 및 LB 확인 ACE/B_Group# sh conn total current connections : 296 conn-id np dir proto vlan source destination state -----+--+-----+---------------------+------+ 6 1 in TCP 21 172. 16. 11: 2589 21. 21. 21: 80 ESTAB 21 1 out TCP 20 21. 21. 11: 80 172. 16. 11: 2589 ESTAB 7 1 in TCP 21 172. 16. 11: 2559 21. 21. 21: 80 ESTAB 99 1 out TCP 20 21. 21. 12: 80 172. 16. 11: 2559 ESTAB 95 1 in TCP 21 172. 16. 11: 2555 21. 21. 21: 80 ESTAB 8 1 out TCP 20 21. 21. 11: 80 172. 16. 11: 2555 ESTAB 11 1 in TCP 21 172. 16. 11: 2692 21. 21. 21: 80 ESTAB 55 1 out TCP 20 21. 21. 11: 80 172. 16. 11: 2692 ESTAB 63 1 in TCP 21 172. 16. 11: 2534 21. 21. 21: 80 ESTAB 12 1 out TCP 20 21. 21. 12: 80 172. 16. 11: 2534 ESTAB 41 1 in TCP 21 172. 16. 11: 2601 21. 21. 21: 80 ESTAB 13 1 out TCP 20 21. 21. 11: 80 172. 16. 11: 2601 ESTAB 14 1 in TCP 21 172. 16. 11: 2683 21. 21. 21: 80 ESTAB 109 1 out TCP 20 21. 21. 11: 80 172. 16. 11: 2683 ESTAB 15 1 in TCP 21 172. 16. 11: 2699 21. 21. 21: 80 ESTAB 141 1 out TCP 20 21. 21. 12: 80 172. 16. 11: 2699 ESTAB 16 1 in TCP 21 172. 16. 11: 2740 21. 21. 21: 80 ESTAB 177 1 out TCP 20 21. 21. 11: 80 172. 16. 11: 2740 ESTAB 17 1 in TCP 21 172. 16. 11: 2681 21. 21. 21: 80 ESTAB 이하 생략… 50
How to Test Scenario Realserver Stress 및 LB 확인 ACE/B_Group# sh serverfarm Web-Server serverfarm : Web-Server, type: HOST total rservers : 2 ---------------------connections-----real weight state current total ---+-----------+------------+-----------rserver: Server 11 21. 21. 11: 0 8 OPERATIONAL 82 396 rserver: Server 12 21. 21. 12: 0 8 OPERATIONAL 88 392 ACE/B_Group# sh rserver Server 12 rserver : Server 12, type: HOST state : OPERATIONAL ---------------------connections-----real weight state current total ---+-----------+------------+-----------serverfarm: Web-Server 21. 21. 12: 0 8 OPERATIONAL 1 404 51
FWSM/ACE Design II FWSM Transparent Mode & ACE Routed Mode 52
FWSM Transparent & ACE Routed 172. 16. 2. 1 F 1/48, V 2 2. 25 4 1. 25 4 OSPF Area 0 172. 16. 1. 1 F 1/48, V 1 172. 16. 3. 254/1 11. 11. 25 4 BVI 11. 11. 12 Clent: 11. 11. 1 Server 10. 10. 1 V 12 Trunk V 20, 21, 22, 99, 198, 199 V 11 V 10 F 9/1 V 12 V 11 VIP 11. 11. 11 RSTP V 10 F 9/1 B Server A 10. 10. 11 Server B 10. 10. 12 53
FWSM Transparent & ACE Routed Design Key Point 1 Easy Migration 2. 254 -FWSM 은 TP모드로 사용 중 이므로, IP or 물리적인 Design 변경이 적음. 1. 254 172. 16. 2. 1 F 1/48, V 2 172. 16. 1. 1 F 1/48, V 1 OSPF Area 0 2 Design의 유연성 강화 172. 16. 3. 254/1 11. 11. 254 BVI 11. 11. 1 2 Clent: 11. 11. 1 Server 10. 10. 1 V 12 Trunk V 20, 21, 22, 99, 198, 19 9 V 11 V 10 F 9/1 V 12 TP V 11 VIP 11. 11. 11 RSTP V 10 F 9/1 B Server A 10. 10. 11 Server B 10. 10. 12 Route d -FWSM의 Multipair Bridge 기 능을 통해, 다양한 서브넷 구성 가능 -ACE의 경우 기본 5개의 Virtual Context가 제공되므로, FWSM의 Virtual context가 부 족할 경우, Multi Pair Bridge Mode 통해 대체 효과 3 L 4 Switch를 기존에 사용 중일 경우 유리 - 대부분 L 4 Switch를 사용 중 일 경우 Routed Mode로 운용 중이므로, 기존의 IP Address 체계를 그대로 유지하여 Migration 할 경우 매우 유리 54
FWSM Transparent & ACE Routed Sup 720 구성 ACE 구성 svclc multiple-vlan-interfaces svclc module 6 vlan-group 2, 4 svclc vlan-group 2 10 -12 ACE, FWSM에서 사용되고 있는 Inside, Outside, Client, Server Vlan 설정 svclc vlan-group 4 99, 198, 199 ACE Failover Tracking Vlan을 위한 Vlan 99, FWSM Failover, Stateful FO를 위한 Vlan 198, 199 설정 FWSM 구성 firewall multiple-vlan-interfaces firewall module 7 vlan-group 2, 4 55
FWSM Transparent & ACE Routed Sup 720 HSRP 구성 Cat 6500 -A 11. 11. 254 BVI 11. 11. 1 2 Clent: 11. 11. 1 Server 10. 10. 1 V 12 Trunk V 20, 21, 22, 99, 198, 199 V 11 V 10 V 12 V 11 VIP 11. 11. 11 RSTP V 10 interface Vlan 12 ip address 11. 11. 253 255. 0 standby 2 ip 11. 11. 254 standby 2 priority 200 standby 2 preempt Cat 6500 -B interface Vlan 12 B ip address 11. 11. 252 255. 0 standby 2 ip 11. 11. 254 standby 2 priority 200 standby 2 preempt MSFC와 FWSM/ACE 사이의 Internal HSRP 구성이므로, 물리적인 이슈로 인한 HSRP가 흔 F 9/1 들릴 경우는 없다. 따라서 FWSM 모듈, Supervisor Engine 자체가 장애가 있지 않는 한 HSRP Interface Primary 는 정해져 있다. 이 경우에는 되도록 Preempt를 지정해 두도록 한다. 56
FWSM Transparent & ACE Routed FWSM Virtual Context 구성 interface Vlan 11 description =TP Mode - Inside= ! interface Vlan 12 description =TP Mode - Outside= ! interface Vlan 21 description =Routed Mode - Inside= ! interface Vlan 22 description =Routed Mode - Outside= ! interface Vlan 101 description =Admin - Inside= ! interface Vlan 102 description =Admin - Outside= ! interface Vlan 198 description LAN Failover Interface ! interface Vlan 199 description STATE Failover Interface admin-context admin allocate-interface Vlan 101 allocate-interface Vlan 102 config-url disk: /admin. cfg ! Admin VF(Virtual Firewall)을 위한 Interface 할당 Admin VF를 위한 Config 파일 저장 위치 지 정 context A-Group allocate-interface Vlan 11 allocate-interface Vlan 12 config-url disk: /A-group. cfg ! A-Group VF를 위한 Interface 할당 A-Group VF를 위한 Config 파일 저장 위치 지 정 context B-Group allocate-interface Vlan 21 allocate-interface Vlan 22 config-url disk: /B-group ! B-Group VF를 위한 Interface 할당 B-Group VF를 위한 Config 파일 저장 위치 지 정 57
FWSM Transparent & ACE Routed FWSM F/O 구성 failover lan unit primary FWSM Unit의 Primary or Secondary를 선언 failover lan interface faillink Vlan 198 Failover Interface Vlan 198 선언 failover polltime unit msec 500 holdtime 3 Polling Time, Hold Time 선언 failover replication http FO 발생시 HTTP 복제 선언 failover link statelink Vlan 199 Stateful Failover Interface 선언 failover interface ip faillink 192. 168. 98. 1 255. 0 standby 192. 168. 98. 2 FO Interface IP address 선언 failover interface ip statelink 192. 168. 99. 1 255. 0 standby 192. 168. 99. 2 Stateful FO Interface IP Address 선언 58
FWSM Transparent & ACE Routed FWSM Basic Config 11. 11. 25 4 BVI 11. 11. 12 Clent: 11. 11. 1 V 12 V 11 Server 10. 10. 1 V 10 F 9/1 interface Vlan 11 nameif inside security-level 100 bridge-group 1 ! Inside Interface 구성 interface Vlan 12 nameif outside security-level 0 bridge-group 1 ! Outside Interface 구성 access-list permit extended permit ip any access-list bpdu ethertype permit bpdu ! ACL Rule 설정 / Bridge Mode 이므로 BPDU를 허가 access-group bpdu in interface inside access-group permit in interface inside access-group bpdu in interface outside access-group permit in interface outside ! Interface별 ACL 할당 route outside 0. 0 11. 11. 254 1 이하 생략… 59
FWSM Transparent & ACE Routed ACE Virtual Partition 구성 context A_Group allocate-interface vlan 10 -11 ! A_Group Context 선언 및 Interface Vlan 10, 11 할당 context B_Group allocate-interface vlan 20 -21 ! A_Group Context 선언 및 Interface Vlan 10, 11 할당 ft interface vlan 99 ip address 99. 99. 1 255. 0 peer ip address 99. 99. 2 255. 0 no shutdown ACE Failover Interface 지정 ft peer 1 heartbeat interval 100 heartbeat count 10 ft-interface vlan 99 ft Peer 간 heartbeat Interval과 counte 선언 60
FWSM Transparent & ACE Routed ACE FT - Failover Group 구성 ft group 1 peer 1 no preempt priority 200 associate-context Admin inservice Ft group 별 priority 지정과 Context 선언 ft group 2 peer 1 no preempt priority 200 associate-context A_Group inservice Tip !!! ft group #1 ft group #2 ft group #3 ft group 3 peer 1 no preempt priority 200 associate-context B_Group inservice ft group별로 해당 Priority를 차등화 하여 구성할 경우 ACE Module 을 Loadsharing 하는 효과 를 누릴 수 있으며, 디자인에 따라 Active/Active, Active/Standby 형태로 구성이 가능하다. 단, FWSM의 Active/Active 형태와는 다른 방식으로 동일 Context간 Session을 공유하여 Traffic이 동시에 흐르는 형태는 아니다. 61
FWSM Transparent & ACE Routed ACE FT - Failover Group 구성 ft interface vlan 99 ip address 99. 99. 1 255. 0 peer ip address 99. 99. 2 255. 0 no shutdown ft peer 1 heartbeat interval 100 heartbeat count 10 ft-interface vlan 99 Ft interfac e Vlan 99 heartbeat interval -Millisecond 단위 Heartbeat count 10 -Hearbeat count 숫자 ft group #1 ft group #2 ft group #3 위의 예제에서는 Heartbeat interval * Heartbeat count = 1 Sec 가 된다. 62
FWSM Transparent & ACE Routed ACE Basic Config – Real. Server 구성 ACE Real. Server rserver host Server 11 ip address 10. 10. 11 inservice rserver host Server 12 ip address 10. 10. 12 inservice 63
FWSM Transparent & ACE Routed ACE Basic Config – Server. Farm 구성 ACE Real. Server. Far m serverfarm host Web-Server rserver Server 11 inservice rserver Server 12 inservice 64
FWSM Transparent & ACE Routed ACE Basic Config – SLB Policy Map 구성 LB Policy map ACE Real. Server. Far m policy-map type loadbalance firstmatch SLB predictor roundrobin class-default serverfarm Web-Server 65
FWSM Transparent & ACE Routed ACE Basic Config – Server VIP 구성 Class-map LB Policy map ACE Real. Server. Far m policy-map type loadbalance first-match pslb class-default serverfarm HTTP-Server class-map match-all Web-Server-VIP 2 match virtual-address 11. 11. 11 tcp eq www 66
FWSM Transparent & ACE Routed ACE Basic Config – L 3/L 4 Policy Map 구성 Class-map L 3/L 4 Policy map LB Policy map ACE Real. Server. Far m policy-map type loadbalance first-match slb class-default serverfarm HTTP-Server policy-map multi-match-www class Web-Server-VIP loadbalance vip inservice loadbalance policy SLB class-map match-all Web-Server-VIP 2 match virtual-address 11. 11. 11 tcp eq www 67
FWSM Transparent & ACE Routed ACE Basic Config – L 3/L 4 Policy Map 구성 Class-map L 3/L 4 Policy map LB Policy map Interface ACL & Service Policy 적용 ACE Real. Server. Far m policy-map type loadbalance first-match SLB class-default serverfarm HTTP-Server policy-map multi-match-www class Web-Server-VIP loadbalance vip inservice loadbalance policy SLB class-map match-all Web-Server-VIP 2 match virtual-address 11. 11. 11 tcp eq www access-list anyone extended permit ip any interface vlan 11 access-group input anyone service-policy input match-www 68
FWSM Transparent & ACE Routed ACE Basic Config – L 7 Real. Server 구성 ACE Real. Serv er rserver host Server 11 ip address 11. 11. 11 inservice rserver host Server 13 ip address 11. 11. 13 inservice rserver host Server 12 ip address 11. 11. 12 inservice rserver host Server 14 ip address 11. 11. 14 inservice 69
FWSM Transparent & ACE Routed ACE Basic Config – L 7 Server. Farm 구성 ACE Real. Serv er serverfarm host Web-Server predictor roundrobin rserver Server 11 inservice rserver Server 12 inservice serverfarm host URL-Server rserver Server 13 inservice rserver Server 14 inservice 70
FWSM Transparent & ACE Routed ACE Basic Config – L 7 SLB Policy Map 구성 Class-map L 3/L 4 Policy map LB Policy map Class-map ACE Real. Serv er policy-map type loadbalance first-match SLB class-default serverfarm HTTP-Server policy-map multi-match-www class Web-Server-VIP loadbalance vip inservice loadbalance policy SLB class-map match-all Web-Server-VIP 2 match virtual-address 11. 11. 11 tcp eq www class-map type http loadbalance match-any URL_contents 2 match http url. *. php 71
FWSM Transparent & ACE Routed ACE Basic Config – L 7 SLB Policy Map 구성 Class-map L 3/L 4 Policy map LB Policy Class-map LB Policy map ACE Real. Serv er policy-map type loadbalance first-match SLB class-default serverfarm HTTP-Server class URL_contenst serverfarm URL-Server class-map match-all Web-Server-VIP 2 match virtual-address 11. 11. 11 tcp eq www policy-map multi-match-www class Web-Server-VIP loadbalance vip inservice loadbalance policy SLB class-map type http loadbalance match-any URL_contents 2 match http url. *. php 72
FWSM Transparent & ACE Routed ACE Basic Config – Health Monitoring(Probe) #1 ACE Real. Serv er Probe-A Probe-B Real. Serv er probe http-probe request method get url /index. html expect status 200 rserver host Server 12 ip address 10. 10. 12 inservice probe icmp-probe serverfarm host Web-Server probe icmp-probe rserver Server 11 inservice rserver Server 12 inservice rserver host Server 11 ip address 10. 10. 11 probe http-probe inservice 73
FWSM Transparent & ACE Routed ACE Basic Config – Health Monitoring(Probe) #2 rserver host Server 11 ip address 10. 10. 11 probe html-probe inservice Serverfar m Web. Server rserver host Server 12 ip address 10. 10. 12 inservice serverfarm host Web-Server probe icmp-probe rserver Server 11 inservice rserver Server 12 inservice rserver S 11 Tip !!! Icmp probe rserver S 12 HTTP probe 구성 예제와 같이 real server S 11 에 별도의 HTTP Probe를 지정하고, real server S 11 이 속하게 되는 Serverfam Web-Server에 ICMP-Probe를 지정하게 되 는 경우에는, rserver S 11 은 icmp-probe, http-probe 어 느 하나라도 Fail이 발생할 경우에 Server의 Service에 서 제거 된다. 따라서 매우 중요한 Real Service는 두개 이상의 Probe 를 지정해 두는 것도 하나의 Tip 이 될 수 있다. 74
FWSM Transparent & ACE Routed ACE Basic Config – Health Monitoring(Probe) #3 ACE/A_Group# sh probe : http-probe type : HTTP, state : ACTIVE -----------------------port : 80 address : 0. 0 addr type : interval : 2 pass intvl : 2 pass count : 5 fail count: 10 recv timeout: 1 ----------- probe results ----------probe association probed-address probes failed passed ----------+----------+-----+------rserver : S 11 10. 10. 11 4 0 4 SUCCESS probe : icmp-probe type : ICMP, state : ACTIVE -----------------------port : 0 address : 0. 0 addr type : interval : 2 pass intvl : 2 pass count : 5 fail count: 10 recv timeout: 1 ----------- probe results ----------probe association probed-address probes failed passed ----------+----------+-----+------serverfarm : Web-Server real : S 11[0] 10. 10. 11 63 0 63 SUCCESS real : S 12[0] 10. 10. 12 99 0 99 SUCCESS health 75
FWSM Transparent & ACE Routed ACE Basic Config – Health Monitoring(Probe) #4 probe <probe-type> <probename> description < description > port <port-number> interval <sec> faildetect <retry-count> passdetect interval <sec> passdetect count <number> receive <receive-timeout> 1 probe <probe-type> <probename> dns, echo, finger, ftp, https, icmp , imap, pop, radius, probe, scripted, smtp , tcp, telnet, udp 다양한 Protocol 별 Probe 기능과 Script 기반의 Probe 기능을 지원 2 하고 port <port-number> 있음. TCP/UDP 의 특정 서비스 포트에 대해 Probe를 지정할 수 있음 76
FWSM Transparent & ACE Routed ACE Basic Config – Health Monitoring(Probe) #5 probe <probe-type> <probename> description < description > port <port-number> interval <sec> faildetect <retry-count> passdetect interval <sec> passdetect count <number> receive <receive-timeout> probe icmp-probe description ICMP-Probe interval 2 faildetect 10 passdetect interval 2 passdetect count 5 receive 1 Tip !!! 3 Interval은 Probe를 주기적으로 Check 하는 시간을 의미한다. 예제의 경우에는 2초에 한번씩 Check. faildetect Count는 Probe Check 시 특 정 Count에 Fail이 Count 되면 Server, real Server를 Fail 로 간주하게 된다. 예제의 경우에는 10번의 Fail이 Count 되면, Fail로 처리하겠다는 의미 Receive ACE가 Probe 를 해당 Server에 보내고 기다리는 시간을 의미한다. 예제에서는 1초간 기다리겠다는 의미 이다. 구성 예제의 결과를 보면 결국 Fail 되는 총시간은 interval * faildetect * receive 가 된다. 따라서 위의 세개의 값을 세밀하게 계산하여, Fail Server를 선택하는 것이 매우 중요하다. 77
FWSM Transparent & ACE Routed ACE Basic Config – Health Monitoring(Probe) #6 probe <probe-type> <probename> description < description > port <port-number> interval <sec> faildetect <retry-count> passdetect interval <sec> passdetect count <number> receive <receive-timeout> probe icmp-probe description ICMP-Probe interval 2 faildetect 10 passdetect interval 2 passdetect count 5 receive 1 Tip !!! 4 passdetect interval Server 가 Fail 된 후 복구 되기 위해, 주 기적으로 다시 Probe를 보내는 주기를 의미한다. 예제에서는 2초에 한번씩 Probe를 보 내게 된다. Passdetect count Server 가 Fail 된 후 복구되기 위한 성 공적인 Probe Count를 의미한다. 예제에서는 5개의 성공 Probe 결과를 받았을 때 서비스를 재개 하겠다는 의 미 구성 예제의 결과를 보면 결국 Server가 Fail된 후 정상 복구 된다고 하더라도, intervla * count 가 되므로, 78
FWSM Transparent & ACE Routed ACE Basic Config – Health Monitoring(Probe) #7 ACE/A_Group# sh probe icmp-probe : icmp-probe type : ICMP, state : ACTIVE -----------------------port : 0 address : 0. 0 addr type : interval : 2 pass intvl : 2 pass count : 5 fail count: 10 recv timeout: 1 ----------- probe results ----------probe association probed-address probes failed passed health ----------+----------+-----+------serverfarm : Web-Server real : S 11[0] 10. 10. 11 102 0 102 SUCCESS real : S 12[0] 10. 10. 12 139 0 139 SUCCESS 79
FWSM Transparent & ACE Routed ACE Basic Config – Health Monitoring(Probe) #8 ACE/A_Group# sh probe icmp-probe detail probe : icmp-probe type : ICMP, state : ACTIVE description : ICMP-Probe -----------------------port : 0 address : 0. 0 addr type : interval : 2 pass intvl : 2 pass count : 5 fail count: 10 recv timeout: 1 ----------- probe results ----------probe association probed-address probes failed passed health ----------+----------+-----+------serverfarm : Web-Server real : S 11[0] 10. 10. 11 115 0 115 SUCCESS Socket state : CLOSED No. Passed states : 1 No. Failed states : 0 No. Probes skipped : 0 Last status code : 0 No. Out of Sockets : 0 No. Internal error: 0 Last disconnect err : Last probe time : Sat Jul 7 09: 11: 33 2007 Last fail time : Never Last active time : Sat Jul 7 09: 07: 45 2007 이하 생략…. 80
FWSM Transparent & ACE Routed ACE Basic Config – ACE Routed 구성/FWSM Bridge 구성 ACE FWSM V 1 2 Bridg e BVI Real. Server V 1 1 interface vlan 10 description "Server Vlan" ip address 10. 10. 2 255. 0 alias 10. 10. 1 255. 0 peer ip address 10. 10. 3 255. 0 service-policy input mgmt no shutdown Tip !!! V 1 0 Real. Server. Far m interface vlan 11 ip address 11. 11. 2 255. 0 alias 11. 11. 1 255. 0 peer ip address 11. 11. 3 255. 0 access-group input anyone service-policy input match-www service-policy input mgmt no shutdown Alias 명령을 통해 , ACE는 마치 HSRP 구성처럼 Virtual G. W IP address를 소유하게 된다. 즉, Realserver의 G. W는 Primary, Secondary가 공통으로 가지고 있는 Alias IP 가 된다. 81
FWSM Transparent & ACE Routed ACE Basic Config – ACE Routed 구성/FWSM Bridge 구성 ACE FWSM V 1 2 Bridg e BVI interface Vlan 11 nameif inside bridge-group 1 security-level 100 Real. Server V 1 1 V 1 0 Real. Server. Far m interface Vlan 12 nameif outside bridge-group 1 security-level 0 ! interface BVI 1 ip address 11. 11. 12 255. 0 Tip !!! Bridge Mode 구성은 FWSM/ACE와 동일한 구조를 가지고 있다. 다만 Bridge Mode 구성시에는 STP Issue에 대한 Design을 사전에 반드시 점검하여야 한다. 82
FWSM Transparent & ACE Routed ACE Basic Config – Management Policy 구성 ACE Class-map L 3/L 4 Policy map Real. Server. Far m class-map type management match-any mgmt 2 match protocol icmp any 3 match protocol telnet any 4 match protocol ssh any policy-map type management first-match mgmt class c-mgmt permit interface vlan 11 service-policy input p-mgmt interface vlan 10 service-policy input p-mgmt Real. Server가 G. W로 icmp를 허용하기 위해 서, 허용한다. 83
FWSM Transparent & ACE Routed ACE Monitoring – Basic ACE Basic Review FWSM DC_BB-A#sh asic-version slot 6 Module in slot 6 has 2 type(s) of ASICs ASIC Name Count Version HYPERION 1 (5. 0) SSA 1 (8. 0) DC_BB-A#sh asic-version slot 7 Module in slot 7 has 2 type(s) of ASICs ASIC Name Count Version PINNACLE 2 (4. 2) MEDUSA 1 (2. 0) ACE는 기존 FWSM, CSM과 같이 Multi Gigabit Etherchannel을 쓰는 방식이 아니라, single 10 G Interface가 접속되어 있는 형태이다. DC_BB-A#sh interfaces ten. Gigabit. Ethernet 6/1 status Port Name Status Vlan Duplex Speed Type Te 6/1 connected trunk full 10 G Multi. Service Module DC_BB-A#sh interfaces ten. Gigabit. Ethernet 6/1 counters Port In. Octets In. Ucast. Pkts In. Mcast. Pkts In. Bcast. Pkts Te 6/1 3900088 35250 18058 450 Port Out. Octets Out. Ucast. Pkts Out. Mcast. Pkts Out. Bcast. Pkts Te 6/1 5555729 79198 2240 1640 84
FWSM Transparent & ACE Routed ACE Monitoring – svclc DC_BB-A#show svclc vlan-group Display vlan-groups created by both ACE module and FWSM commands Group Created by vlans ---------1 ACE 100 -102 2 ACE 10 -12 3 ACE 20 -22 4 ACE 99, 198 -199 DC_BB-A#show svclc module Module Vlan-groups ----------06 1, 2, 3, 4 DC_BB-A#show interfaces ten. Gigabit. Ethernet 6/1 trunk Port Mode Encapsulation Status Native vlan Te 6/1 on 802. 1 q trunking 1 Port Vlans allowed on trunk Te 6/1 10 -12, 20 -22, 99 -102, 198 -199 Port Vlans allowed and active in management domain Te 6/1 10 -12, 20 -22, 99 -102, 198 -199 Port Vlans in spanning tree forwarding state and not pruned Te 6/1 10 -12, 20 -22, 99 -102, 198 -199 85
FWSM Transparent & ACE Routed ACE Monitoring – ARP Table ACE/A_Group# sh arp Context A_Group ================================== IP ADDRESS MAC-ADDRESS Interface Type Encap Next. Arp(s) Status ================================== 10. 10. 1 00. 0 b. fc. fe. 1 b. 02 vlan 10 ALIAS LOCAL _ up 10. 10. 2 00. 19. 06. 27. d 9. 01 vlan 10 INTERFACE LOCAL _ up 10. 10. 11 00. 10. c 6. c 0. 01. 55 vlan 10 RSERVER 15 39 sec up 10. 10. 12 00. 0 d. 60. b 1. 20 vlan 10 RSERVER 16 39 sec up 10. 10. 13 00. 00 vlan 10 RSERVER dn 10. 10. 14 00. 00 vlan 10 RSERVER dn 11. 11. 252 00. d 0. 00. b 8. 00 vlan 11 LEARNED 13 11305 sec up 11. 11. 253 00. 0 e. d 6. e 4. 8 c. 00 vlan 11 LEARNED 14 11307 sec up 11. 11. 254 00. 0 c. 07. ac. 02 vlan 11 GATEWAY 12 58 sec up 11. 11. 1 00. 0 b. fc. fe. 1 b. 02 vlan 11 ALIAS LOCAL _ up 11. 11. 2 00. 19. 06. 27. d 9. 01 vlan 11 INTERFACE LOCAL _ up 11. 11. 11 00. 0 b. fc. fe. 1 b. 02 vlan 11 VSERVER LOCAL _ up ================================== 86
FWSM Transparent & ACE Routed ACE Monitoring – Routing Table for Context A_Group (Route. Id 1) Codes: H - host, I - interface S - static, N - nat A - need arp resolve, E - ecmp Destination Gateway Interface Flags ------------------------------------0. 0 11. 11. 254 vlan 11 S 11. 11. 0/24 0. 0 vlan 11 IA 10. 10. 0/24 0. 0 vlan 10 IA Total route entries = 3 87
FWSM Transparent & ACE Routed ACE Monitoring – Real Server Monitoring == Real Server 접속 성공 == ACE/A_Group# sh rserver S 11 rserver : S 11, type: HOST state : OPERATIONAL ---------------------connections-----real weight state current total ---+-----------+------------+-----------serverfarm: Web-Server 10. 10. 11: 0 8 OPERATIONAL 0 0 == Real Server 접속 불가 == ACE/A_Group# sh rserver S 12 rserver : S 12, type: HOST state : OPERATIONAL -----------------connections-----real weight state current total ---+-----------+------------+-----------serverfarm: Web-Server 10. 10. 12: 0 8 PROBE-FAILED 0 0 88
FWSM Transparent & ACE Routed ACE Monitoring – Service Policy Monitoring == Service Policy 현황 == ACE/A_Group# sh service-policy matchwww detail Status : ACTIVE Description: --------------------Interface: vlan 11 service-policy: match-www class: Web-Server-VIP Address: Port: 11. 11. 11 eq 80 loadbalance: L 7 loadbalance policy: SLB VIP Route Metric : 77 VIP Route Advertise : DISABLED VIP ICMP Reply : ENABLED VIP State: INSERVICE curr conns : 0 , hit count 4 dropped conns : 0 client pkt count : 170 , client byte count: 34199 server pkt count : 171 , server byte L 7 Loadbalance policy : SLB class/match : URL_Contents LB action : serverfarm: URL-Server hit count : 0 dropped conns : 0 class/match : class-default LB action : serverfarm: Web-Server hit count : 4 dropped conns : 0 : 89
FWSM Transparent & ACE Routed Failover Scenario 1 172. 16. 2. 1 F 1/48, V 2 2. 25 4 172. 16. 1. 1 F 1/48, V 1 OSPF Area 0 4 172. 16. 3. 254/1 11. 11. 25 4 BVI 11. 11. 12 Clent: 11. 11. 1 Server 10. 10. 1 V 12 Trunk V 20, 21, 22, 99, 198, 199 2 V 11 2 V 10 F 9/1 Server A 10. 10. 11 VIP 11. 11. 11 RSTP Session State 유지 Ping Losss 1개 이내. RSTP에 의해 msec 단위 Take Over ACE Primary 장애 Session State 유지 Ping Losss 1개 이내. ACE FT 기법을 통한 msec 단 위 Take Over 구성 가능 3 V 11 Server Switch Primary Link 단 절 V 10 1 F 9/1 Server B 10. 10. 12 3 FWSM 장애 Session State 유지 Ping Losss 1개 이내. FWSM Stateful F/O 기법을 통 한 msec 단위 Take Over 구성 가능 90
FWSM Transparent & ACE Routed Failover Scenario 4 172. 16. 2. 1 F 1/48, V 2 2. 25 4 172. 16. 1. 1 F 1/48, V 1 OSPF Area 0 4 172. 16. 3. 254/1 11. 11. 25 4 BVI 11. 11. 12 Clent: 11. 11. 1 Server 10. 10. 1 V 12 Trunk V 20, 21, 22, 99, 198, 199 3 V 11 2 V 10 F 9/1 Server A 10. 10. 11 VIP 11. 11. 11 RSTP V 10 1 F 9/1 Primary 6500 장애 또는 Router Uplink 단절 Session State 유지 또는 빠른 우회 경로 확보 Ping Losss 1개 이내. Fast OSPF 구현을 통한 빠른 우회경로 확보 OSPF Tuning ip ospf dead-interval minimal hello-multiplier 20 router os 1 timers throttle spf 300 10000 30000 timers throttle lsa all 2000 10000 Server B 10. 10. 12 91
FWSM/ACE Design III FWSM Multi pair Bridge & ACE Routed Mode 92
FWSM Multi. Pair Bridge & ACE Routed Mode Design Key Point 2. 25 4 172. 16. 2. 1 F 1/48, V 2 1. 25 4 172. 16. 1. 1 F 1/48, V 1 OSPF Area 0 172. 16. 3. 254/1 21. 21. 25 4 1 BVI 21. 21. 12 Clent: 21. 21. 1 Server 40. 40. 1 V 22 V 42 V 21 V 41 V 20 V 40 F 9/1 Trunk V 20, 21, 22, 40, 41, 4 2, , 99, 198, 199 F 9/2 VIP 21. 21. 21 VIP 41. 41. 41 RSTP V 22 V 42 V 21 V 41 V 20 V 40 F 9/1 41. 41. 25 4 2 BVI 41. 41. 12 Clent: 41. 41. 1 Server 40. 40. 1 F 9/2 B Server A 10. 10. 11 Server B 10. 10. 12 93
FWSM Multi. Pair Bridge & ACE Routed Mode Design Key Point 1 Easy Migration 2. 25 4 -FWSM 은 TP모드로 사용 중 이므로, IP or 물리적인 Design 변경이 적음. 1. 25 4 172. 16. 2. 1 F 1/48, V 2 172. 16. 1. 1 F 1/48, V 1 OSPF Area 0 2 Design의 유연성 강화 172. 16. 3. 254/1 21. 21. 25 4 BVI 1 21. 21. 12 Clent: 21. 21. 1 Server 40. 40. 1 V 2 2 V 4 2 V 2 1 V 4 1 V 2 0 V 4 0 F 9/ 1 Trunk V 20, 21, 22, 40, 41, 42, , 99, 198, 199 VIP 21. 21. 21 VIP 41. 41. 41 F 9/ 2 V 2 2 V 4 2 V 2 1 V 4 1 V 2 0 V 4 0 F 9/ 1 RSTP F 9/ 2 B Server A 10. 10. 11 Server B 10. 10. 12 41. 41. 25 4 BVI 2 41. 41. 12 Clent: 41. 41. 1 Server 40. 40. 1 -FWSM의 Multipair Bridge 기 능을 통해, 다양한 서브넷 구성 가능 -ACE의 경우 기본 5개의 Virtual Context가 제공되므로, FWSM의 Virtual context가 부 족할 경우, Multi Pair Bridge Mode 통해 대체 효과 3 ACE 5개의 기본 Virtual Context를 최대한 사용 가능 - ACE의 Virtual Context 5개와 연동되는 Firewall의 Virtual Context 3개에 대한 부족분을 Multipair Bridge를 사용하여 확 장 가능 94
FWSM Multi. Pair Bridge & ACE Routed Mode Design Key Point Outside 1 ~8 Admin Context A Context B FWSM Inside 1 ~8 Mode는 최대 8개의 ~8 Inside / Ouside 를 구성할 ~8수 있는 유연성 FWSM Multi. Pair Bridge 높은 구성 방법이다. ACE와 연동 할 경우, ACE가 가지고 있는 최대 Virtual Context를 연동하여, FWSM의 부족한 Virtual Context를 채울 수 있다. 실제 Admin Context와 두개의 추가 기본 Context를 모두 Multi. Pair Bridge Mode로 구 성할 경우, 32개의 In/Outside Interface를 구성할 수 있다. 95
FWSM Multi. Pair Bridge & ACE Routed Mode Sup 720 구성 ACE 구성 svclc multiple-vlan-interfaces svclc module 6 vlan-group 2, 4, 40 svclc vlan-group 2 10 -12 svclc vlan-group 40 40 -43 ACE, FWSM에서 사용되고 있는 Inside, Outside, Client, Server Vlan 설정 svclc vlan-group 4 99, 198, 199 ACE Failover Tracking Vlan을 위한 Vlan 99, FWSM Failover, Stateful FO를 위한 Vlan 198, 199 설정 FWSM 구성 firewall multiple-vlan-interfaces firewall module 7 vlan-group 2, 4, 40 96
FWSM Multi. Pair Bridge & ACE Routed Mode Sup 720 HSRP 구성 2. 25 4 172. 16. 2. 1 F 1/48, V 2 Cat 6500 -A 172. 16. 1. 1 F 1/48, V 1 OSPF Area 0 172. 16. 3. 254/1 21. 21. 25 4 BVI 1 21. 21. 12 Clent: 21. 21. 1 Server 40. 40. 1 V 2 2 V 4 2 V 2 1 V 4 1 V 2 0 V 4 0 Trunk V 20, 21, 22, 40, 41, 42, , 99, 198, 199 V 2 2 V 4 2 V 2 1 V 4 1 V 2 0 V 4 0 41. 41. 25 4 BVI 2 41. 41. 12 Clent: 41. 41. 1 Server 40. 40. 1 interface Vlan 42 ip address 41. 41. 253 255. 0 standby 41 ip 41. 41. 254 standby 41 priority 200 standby 41 preempt interface Vlan 22 ip address 21. 21. 253 255. 0 standby 3 ip 21. 21. 254 standby 3 priority 200 standby 3 preempt FWSM 이 Multi. Pair 구성으로 동작하므로, FWSM에서는 다중 Bridge Group 이 생성 된다. 따라서 MSFC는 FWSM에서 구성된 BVI와 연결되는 Interface Vlan을 다중으로 구성하고, HSRP Interface 속성 지정을 한다. 마찬가지로 Preempt 지정을 통해 내부 Link가 흔들리는 일이 없도록 한다. 97
FWSM Multi. Pair Bridge & ACE Routed Mode FWSM Virtual Context 구성 interface Vlan 21 ! interface Vlan 22 ! interface Vlan 41 ! interface Vlan 42 ! interface Vlan 198 description LAN Failover Interface ! interface Vlan 199 description STATE Failover Interface admin-context admin allocate-interface Vlan 101 allocate-interface Vlan 102 config-url disk: /admin. cfg ! Admin VF(Virtual Firewall)을 위한 Interface 할당 Admin VF를 위한 Config 파일 저장 위치 지 정 context B-G allocate-interface Vlan 21 allocate-interface Vlan 22 allocate-interface Vlan 41 allocate-interface Vlan 42 config-url disk: /B-G. cfg! A-Group VF를 위한 Interface 할당 A-Group VF를 위한 Config 파일 저장 위치 지 정 Multi pair Vlan 에 속하게 되는 Vlan들이 하나 의 Context에 모두 속하게 된다. 98
FWSM Multi. Pair Bridge & ACE Routed Mode FWSM F/O 구성 failover lan unit primary FWSM Unit의 Primary or Secondary를 선언 failover lan interface faillink Vlan 198 Failover Interface Vlan 198 선언 failover polltime unit msec 500 holdtime 3 Polling Time, Hold Time 선언 failover replication http FO 발생시 HTTP 복제 선언 failover link statelink Vlan 199 Stateful Failover Interface 선언 failover interface ip faillink 192. 168. 98. 1 255. 0 standby 192. 168. 98. 2 FO Interface IP address 선언 failover interface ip statelink 192. 168. 99. 1 255. 0 standby 192. 168. 99. 2 Stateful FO Interface IP Address 선언 99
FWSM Multi. Pair Bridge & ACE Routed Mode FWSM Basic Config 172. 16. 2. 1 F 1/48, V 2 21. 21. 254 V 22 V 42 V 21 V 41 V 20 V 40 BVI 1 21. 21. 12 Clent: 21. 21. 1 Server 40. 40. 1 interface Vlan 21 nameif inside 1 bridge-group 1 security-level 100 ! interface Vlan 22 nameif outside 1 bridge-group 1 security-level 0 ! interface Vlan 41 nameif inside 2 bridge-group 2 security-level 100 ! interface Vlan 42 nameif outside 2 bridge-group 2 security-level 0 ! 100
FWSM Multi. Pair Bridge & ACE Routed Mode FWSM Basic Config 172. 16. 2. 1 F 1/48, V 2 21. 21. 254 V 22 V 42 V 21 V 41 V 20 V 40 BVI 1 21. 21. 12 Clent: 21. 21. 1 Server 40. 40. 1 interface BVI 1 ip address 21. 21. 12 255. 0 standby 21. 21. 13 ! interface BVI 2 ip address 41. 41. 12 255. 0 standby 41. 41. 13 ! icmp permit any inside 1 icmp permit any outside 1 icmp permit any inside 2 icmp permit any outside 2 ! access-group bpdu in interface inside 1 access-group permit in interface inside 1 access-group bpdu in interface outside 1 access-group permit in interface outside 1 access-group bpdu in interface inside 2 access-group permit in interface inside 2 access-group bpdu in interface outside 2 access-group permit in interface outside 2 ! 101
FWSM Multi. Pair Bridge & ACE Routed Mode ACE Virtual Partition 구성 context B-Group allocate-interface vlan 20 -21 ! B_Group Context 선언 및 Interface Vlan 20, 21 할당 context C-Group allocate-interface vlan 40 -41! C_Group Context 선언 및 Interface Vlan 40, 41 할당 ft interface vlan 99 ip address 99. 99. 1 255. 0 peer ip address 99. 99. 2 255. 0 no shutdown ACE Failover Interface 지정 ft peer 1 heartbeat interval 100 heartbeat count 10 ft-interface vlan 99 ft Peer 간 heartbeat Interval과 counte 선언 102
FWSM Multi. Pair Bridge & ACE Routed Mode ACE FT - Failover Group 구성 ft group 3 peer 1 no preempt priority 200 associate-context B-Group inservice Ft group 별 priority 지정과 Context 선언 ft group 4 peer 1 no preempt priority 200 associate-context C-Group inservice Tip !!! ft group #1 ft group #2 ft group #3 ft group별로 해당 Priority를 차등화 하여 구성할 경우 ACE Module 을 Loadsharing 하는 효과 를 누릴 수 있으며, 디자인에 따라 Active/Active, Active/Standby 형태로 구성이 가능하다. 단, FWSM의 Active/Active 형태와는 다른 방식으로 동일 Context간 Session을 공유하여 Traffic이 동시에 흐르는 형태는 아니다. 103
FWSM Transparent & ACE Routed ACE FT - Failover Group 구성 ft interface vlan 99 ip address 99. 99. 1 255. 0 peer ip address 99. 99. 2 255. 0 no shutdown ft peer 1 heartbeat interval 100 heartbeat count 10 ft-interface vlan 99 Ft interfac e Vlan 99 heartbeat interval -Millisecond 단위 Heartbeat count 10 -Hearbeat count 숫자 ft group #1 ft group #2 ft group #3 위의 예제에서는 Heartbeat interval * Heartbeat count = 1 Sec 가 된다. 104
FWSM Transparent & ACE Routed ACE Basic Config – Real. Server 구성 ACE Real. Server rserver host Server 11 ip address 20. 20. 11 inservice rserver host Server 12 ip address 20. 20. 12 inservice 105
FWSM Transparent & ACE Routed ACE Basic Config – Server. Farm 구성 ACE Real. Server. Far m serverfarm host Web-Server probe ICMP-PROBE rserver Server 11 inservice rserver Server 12 inservice 106
FWSM Transparent & ACE Routed ACE Basic Config – SLB Policy Map 구성 LB Policy map ACE Real. Server. Far m policy-map type loadbalance firstmatch SLB class-default serverfarm Web-Server 107
FWSM Transparent & ACE Routed ACE Basic Config – Server VIP 구성 Class-map LB Policy map ACE Real. Server. Far m policy-map type loadbalance first-match SLB class-default serverfarm Web-Server class-map match-all Web-VIP-21 2 match virtual-address 21. 21. 21 tcp eq www 108
FWSM Transparent & ACE Routed ACE Basic Config – L 3/L 4 Policy Map 구성 Class-map L 3/L 4 Policy map LB Policy map ACE Real. Server. Far m policy-map type loadbalance first-match SLB class-default serverfarm Web-Server policy-map multi-match-www class Web-Server-VIP loadbalance vip inservice loadbalance policy SLB class-map match-all Web-VIP-21 2 match virtual-address 21. 21. 21 tcp eq www 109
FWSM Transparent & ACE Routed ACE Basic Config – L 3/L 4 Policy Map 구성 Class-map L 3/L 4 Policy map LB Policy map Interface ACL & Service Policy 적용 policy-map type loadbalance first-match SLB class-default serverfarm Web-Server class-map match-all Web-VIP-21 2 match virtual-address 21. 21. 21 tcp eq www ACE Real. Server. Far m policy-map multi-match-www class Web-Server-VIP loadbalance vip inservice loadbalance policy SLB access-list anyone extended permit ip any interface vlan 11 access-group input anyone service-policy input match-www 110
FWSM Transparent & ACE Routed ACE Basic Config – L 7 Real. Server 구성 ACE Real. Serv er rserver host Server 11 ip address 11. 11. 11 inservice rserver host Server 13 ip address 11. 11. 13 inservice rserver host Server 12 ip address 11. 11. 12 inservice rserver host Server 14 ip address 11. 11. 14 inservice 111
FWSM Transparent & ACE Routed ACE Basic Config – L 7 Server. Farm 구성 ACE Real. Serv er serverfarm host Web-Server predictor roundrobin rserver Server 11 inservice rserver Server 12 inservice serverfarm host URL-Server rserver Server 13 inservice rserver Server 14 inservice 112
FWSM Transparent & ACE Routed ACE Basic Config – Management Policy 구성 ACE Class-map L 3/L 4 Policy map Real. Server. Far m class-map type management match-any mgmt 2 match protocol icmp any 3 match protocol telnet any 4 match protocol ssh any policy-map type management first-match mgmt class c-mgmt permit interface vlan 21 service-policy input p-mgmt interface vlan 20 service-policy input p-mgmt Real. Server가 G. W로 icmp를 허용하기 위해 서, 허용한다. 113
FWSM Transparent & ACE Routed Failover Scenario 2. 254 1 1. 254 172. 16. 2. 1 F 1/48, V 2 172. 16. 1. 1 F 1/48, V 1 OSPF Area 0 4 172. 16. 3. 254/1 21. 21. 254 V 22 V 42 BVI 1 21. 21. 12 V 21 Trunk V 20, 21, 22, 40, 41, 42, , 99, 198, 199 Clent: 21. 21. 1 Server 40. 40. 1 3 V 21 V 41 BVI 2 41. 41. 12 V 40 VIP 21. 21. 21 VIP 41. 41. 41 F 9/2 F 9/1 Clent: 41. 41. 1 V 40 F 9/2 B Server A 10. 10. 11 V 20 F 9/1 RSTP 2 V 41 2 V 20 41. 41. 254 1 Server B 10. 10. 12 Server 40. 40. 1 3 Server Switch Primary Link 단 절 Session State 유지 Ping Losss 1개 이내. RSTP에 의해 msec 단위 Take Over ACE Primary 장애 Session State 유지 Ping Losss 1개 이내. ACE FT 기법을 통한 msec 단 위 Take Over 구성 가능 FWSM 장애 Session State 유지 Ping Losss 1개 이내. FWSM Stateful F/O 기법을 통 한 msec 단위 Take Over 구성 가능 114
FWSM Transparent & ACE Routed Failover Scenario 4 2. 254 172. 16. 2. 1 F 1/48, V 2 172. 16. 1. 1 F 1/48, V 1 OSPF Area 0 4 172. 16. 3. 254/1 21. 21. 254 V 22 V 42 BVI 1 21. 21. 12 V 21 Trunk V 20, 21, 22, 40, 41, 42, , 99, 198, 199 Clent: 21. 21. 1 Server 40. 40. 1 3 V 21 V 40 VIP 21. 21. 21 VIP 41. 41. 41 V 41 Clent: 41. 41. 1 F 9/2 F 9/1 V 40 F 9/1 RSTP F 9/2 B Server A 10. 10. 11 V 20 1 Session State 유지 또는 빠른 우회 경로 확보 Ping Losss 1개 이내. Fast OSPF 구현을 통한 빠른 우회경로 확보 BVI 2 41. 41. 12 2 V 20 41. 41. 254 Primary 6500 장애 또는 Router Uplink 단절 Server 40. 40. 1 OSPF Tuning ip ospf dead-interval minimal hello-multiplier 20 router os 1 timers throttle spf 300 10000 30000 timers throttle lsa all 2000 10000 Server B 10. 10. 12 115
ACE DSR Mode 116
ACE DSR Mode 172. 16. 2. 1 F 1/48, V 2 2. 25 4 1. 25 4 OSPF Area 0 172. 16. 1. 1 F 1/48, V 1 172. 16. 3. 254/1 50. 50. 25 4 V 50 Server 50. 50. 1 Trunk V 20, 21, 22, 99, 198, 199 V 50 VIP 55. 55. 55 F 9/1 Server A eht 1 : 50. 50. 11 Eth 1: 1 RSTP B F 9/1 Server B 50. 50. 12 Eth 1: 1 55. 55. 55 117
ACE DSR Mode 동작원리 1 Supervisor 에서 Static Routing -VIP의 목적지를 Server Vlan G. W 로 Static Routing 강제 설 정 1. 25 4 172. 16. 1. 1 F 1/48, V 1 2 ACE에서는 별도의 Client Side 50. 50. 25 4 V 10 Server 50. 50. 1 VIP 55. 55. 55 Defualt G. W 변 경 Server A Eth 1 : 50. 50. 11 Eth 1: 1 55. 55. 55 VIP 55. 55. 55 가 존재하지 않음 -Virtual IP만 설정 -Real Server에서는 Virtual Interface를 설정하고, Default G. W는 MSFC가 되도록 한다. 3 성능 향상 & 보안 취약 -모든 Connection을 관리하지 않아도 되는 장점 - 보안에 대한 장점은 전혀 없 음 - 상단에 FWSM과 연계할 경우 에도 TCP Flow에 대한 문제점 발생 가능성이 높음 - FWSM 3. 2에서 Flow별 TCP State Bypass 기능올 통해 통 과 할 수 있음 118
ACE DSR Mode Sup 720 구성 ACE 구성 svclc multiple-vlan-interfaces svclc module 6 vlan-group 4, 6 svclc vlan-group 6 50 ACE 에서 사용될 Server Vlan 설정 svclc vlan-group 4 99 ACE Failover Tracking Vlan을 위한 Vlan 99 ip route 55. 55. 55 255 50. 50. 1 DSR VIP로 직접 Static Routing 처리 119
ACE DSR Mode DSR Basic Config rserver host S 11 ip address 50. 50. 11 probe http-probe inservice rserver host S 12 ip address 50. 50. 12 inservice 1. 25 4 172. 16. 1. 1 F 1/48, V 1 50. 50. 25 4 V 10 serverfarm host Web-Server transparent Transparent 기능을 통해 DSR을 구현 , NAT 사용하지 않음 Server 50. 50. 1 VIP 55. 55. 55 Defualt G. W 변 경 Server A Eth 1 : 50. 50. 11 Eth 1: 1 55. 55. 55 VIP 55. 55. 55 rserver S 11 inservice rserver S 12 inservice class-map match-all Web-Server-VIP 3 match virtual-address 55. 55. 55 any VIP 가 Real Server의 Virtual Interface가 된 다. 120
ACE DSR Mode DSR Basic Config policy-map multi-match-www class Web-Server-VIP loadbalance vip inservice loadbalance policy SLB loadbalance vip icmp-reply 1. 25 4 172. 16. 1. 1 F 1/48, V 1 50. 50. 25 4 V 10 Server 50. 50. 1 VIP 55. 55. 55 ip route 0. 0 50. 50. 254 Default 가 반드시 MSFC Vlan으로 향해야 한 다. Defualt G. W 변 경 Server A Eth 1 : 50. 50. 11 Eth 1: 1 55. 55. 55 interface vlan 50 description "Server Vlan" ip address 50. 50. 2 255. 0 alias 50. 50. 1 255. 0 peer ip address 50. 50. 3 255. 0 no normalization access-group input anyone service-policy input mgmt service-policy input match-www no shutdown VIP 55. 55 121
ACE DSR Mode DSR Basic Config probe icmp-probe interval 2 passdetect count 10 receive 2 1. 25 4 172. 16. 1. 1 F 1/48, V 1 50. 50. 25 4 V 10 Server 50. 50. 1 VIP 55. 55. 55 serverfarm host DSR-Server transparent predictor leastconns probe icmp-probe rserver S 11 inservice rserver S 12 inservice. Defualt G. W 변 경 Server A Eth 1 : 50. 50. 11 Eth 1: 1 55. 55. 55 VIP 55. 55. 55 122
ACE DSR Mode How to DSR Test – Linux Virtual Interface 설정 1. Linux System에서 Virtual Interface 설정 1. 25 4 172. 16. 1. 1 F 1/48, V 1 ifconfig eth 1: 1 55. 55. 55 netmask 255 broadcast 50. 50. 255 up ip link set eth 1: 1 arp off 2. 모든 Routing은 ACE의 Alias G. W가 아니라, MSFC Vlan G. W로 향하게 한다. 50. 50. 25 4 V 10 Server 50. 50. 1 VIP 55. 55. 55 route add 0. 0 gw 50. 50. 254 root@[etc]#netstat -nr Krenel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0. 0 50. 50. 254 255 UGH 0 0 0 eth 1 Defualt G. W 변 경 Server A Eth 1 : 50. 50. 11 Eth 1: 1 55. 55. 55 VIP 55. 55. 55 123
ACE를 통한 10 G FLB 구성 Standard Mode 124
ACE 기반의 FWSM FLB Design 2. 254 172. 16. 2. 1 F 1/48, V 2 OSPF Area 0 ACE FLB Outside V 33 / HSRP 33. 254 Client V 33 / 33. 1 172. 16. 3. 254/1 Server V 32 / 32. 1 Trunk V 30 -34, 99 Outside V 32 / 32. 253 Inside V 31 / 31. 253 ACE FLB Inside 172. 16. 1. 1 F 1/48, V 1 Outside V 32 / 32. 254 Inside V 31 / 31. 254 Client V 31 / 31. 1 Server V 30 / 30. 1 V 30 / HSRP 30. 254 F 9/1 Server A 30. 30. 11 B RSTP F 9/1 Server B 30. 30. 12 125
ACE 기반의 FWSM FLB Design Key Point 1 최적의 10 G FLB 구현 가능 172. 16. 2. 1 F 1/48, V 2 2. 25 4 1. 25 4 OSPF Area 0 172. 16. 1. 1 F 1/48, V 1 2 디자인 확장성 높은 FLB 구현 172. 16. 3. 254/1 ACE FLB Outside -별도의 물리적인 복잡한 회선 구현 없이 Internal Link를 통해 10 G 이상의 FLB Service 구현 가능 가능 -FWSM Virtual context와 ACE 의 Virtual Partitioning 기능을 이용하여 여러 개의 FLB 서비 스 구현 가능 Trunk V 30 -34, 99 ACE FLB Inside 3 안정성 극대화 F 9/ 1 Server A 30. 30. 1 1 B RSTP F 9/ 1 Server B 30. 30. 1 2 -다중 L 2 Switch 구조를 제거 하고, 최적화된 RSTP, OSPF를 이용하여 빠른 우회 경로 확보 가능 -Probe Point를 ACE Virtual Partitioning과 인접한 MSFC HSRP 포인트를 지정하여 더 욱 신뢰도를 높임. 126
ACE 기반의 FWSM FLB Design Sup 720 구성 ACE 구성 svclc multiple-vlan-interfaces svclc module 6 vlan-group 4, 5 svclc vlan-group 4 99 svclc vlan-group 5 30 -33 FWSM 구성 firewall multiple-vlan-interfaces firewall module 7 vlan-group 5 127
ACE 기반의 FWSM FLB Design Sup 720 172. 16. 2. 1 F 1/48, V 2 ACE FLB Outside 172. 16. 1. 1 F 1/48, V 1 172. 16. 3. 254/1 Trunk V 30 -34, 99 HSRP 구성 Cat 6500 -A interface Vlan 30 description "ACE-Inside-In" ip vrf forwarding ACE-Inside-Server ip address 30. 30. 253 255. 0 standby 30 ip 30. 30. 254 standby 30 priority 200 standby 30 preempt ACE FLB Inside interface Vlan 33 description "ACE-Outside-Out" ip address 33. 33. 253 255. 0 standby 33 ip 33. 33. 254 standby 33 priority 200 standby 33 preempt FLB 구성을 위해서는 하나의 ACE 모듈에서 두개의 Virtual Context가 서로 뒤집혀 있는 형 태로 구성되게 된다. 특히 중요한 것은 두개의 Virtual Context간에 연결된 MSFC 연결 구조이다. Direct connected 되어 있으므로, FLB로 인입된 Traffic이 MSFC를 직접 흐르지 않도록 PBR 또는 VRF를 사용하여 , FLB Flow에 대한 주의가 필요하겠다. 128
ACE 기반의 FWSM FLB Design FWSM Basic Config – FWSM#A 172. 16. 1. 1 F 1/48, V 1 interface Vlan 31 nameif inside security-level 100 ip address 31. 31. 254 255. 0 ! interface Vlan 32 nameif outside security-level 0 ip address 32. 32. 254 255. 0 ! access-list permit extended permit ip any ! icmp permit any outside icmp permit any inside ! access-group permit in interface outside access-group permit in interface inside route outside 0. 0 32. 32. 1 1 route inside 30. 30. 0 255. 0 31. 31. 1 1 FWSM은 FLB를 통해 운용 되므로, 모두 Active 이며 Failover 구조는 필요없다. 따라서 모두 Active로 운영될 FWSM 구성에 대해, IP Address 체계를 주의해서 구성한다. 129
ACE 기반의 FWSM FLB Design FWSM Basic Config – FWSM#B 172. 16. 2. 1 F 1/48, V 2 ACE FLB Outside ACE FLB Inside interface Vlan 31 nameif inside security-level 100 ip address 31. 31. 253 255. 0 ! interface Vlan 32 nameif outside security-level 0 ip address 32. 32. 253 255. 0 ! access-list permit extended permit ip any ! icmp permit any inside icmp permit any outside ! access-group permit in interface inside access-group permit in interface outside route inside 30. 30. 0 255. 0 31. 31. 1 1 route outside 0. 0 32. 32. 1 1 FWSM은 FLB를 통해 운용 되므로, 모두 Active 이며 Failover 구조는 필요없다. 따라서 모두 Active로 운영될 FWSM 구성에 대해, IP Address 체계를 주의해서 구성한다. 130
ACE 기반의 FWSM FLB Design ACE Virtual Partition 구성 context I-FLB allocate-interface vlan 30 -31 ! A_Group Context 선언 및 Interface Vlan 10, 11 할당 context O-FLB allocate-interface vlan 32 -33 ! A_Group Context 선언 및 Interface Vlan 10, 11 할당 ft interface vlan 99 ip address 99. 99. 1 255. 0 peer ip address 99. 99. 2 255. 0 no shutdown ACE Failover Interface 지정 ft peer 1 heartbeat interval 100 heartbeat count 10 ft-interface vlan 99 ft Peer 간 heartbeat Interval과 counte 선언 131
ACE 기반의 FWSM FLB Design ACE FT - Failover Group 구성 ft group 4 peer 1 no preempt priority 200 associate-context O-FLB inservice FLB Outside ACE FT 그룹 선언 ft group 5 peer 1 no preempt priority 200 associate-context I-FLB inservice FLB Inside ACE FT 그룹 선언 ft group #1 ft group #2 ft group #3 132
ACE 기반의 FWSM FLB Design ACE FT - Failover Group 구성 ft interface vlan 99 ip address 99. 99. 1 255. 0 peer ip address 99. 99. 2 255. 0 no shutdown ft peer 1 heartbeat interval 100 heartbeat count 10 ft-interface vlan 99 Ft interfac e Vlan 99 heartbeat interval -Millisecond 단위 Heartbeat count 10 -Hearbeat count 숫자 ft group #1 ft group #2 ft group #3 위의 예제에서는 Heartbeat interval * Heartbeat count = 1 Sec 가 된다. 133
ACE 기반의 FWSM FLB Design ACE Outside Basic Config – Real. Server 구성 ACE Real. Server rserver host FW 253 ip address 32. 32. 253 inservice rserver host FW 254 ip address 32. 32. 254 inservice 134
ACE 기반의 FWSM FLB Design ACE Outside Basic Config – Server. Farm 구성 ACE Real. Server. Far m serverfarm host FLB-Out transparent predictor hash address 255 rserver FW 253 inservice rserver FW 254 inservice NAT 처리가 필요없으므로… Hash 기반의 FLB 처리 135
ACE 기반의 FWSM FLB Design ACE Outside Basic Config – SLB Policy Map 구성 LB Policy map ACE Real. Server. Far m policy-map type loadbalance first-match FLB-Policy class-default serverfarm FLB-Out 136
ACE 기반의 FWSM FLB Design ACE Outside Basic Config – Server VIP 구성 Class-map LB Policy map ACE Real. Server. Far m policy-map type loadbalance first-match FLB-Policy class-default serverfarm FLB-Out class-map match-any FLB-Out-VIP 2 match virtual-address 30. 30. 0 255. 0 any 3 match virtual-address 31. 31. 0 255. 0 any FLB Outside 측 Subnet 선언 137
ACE 기반의 FWSM FLB Design ACE Outside Basic Config – L 3/L 4 Policy Map 구성 Class-map L 3/L 4 Policy map LB Policy map ACE Real. Server. Far m policy-map type loadbalance first-match FLB-Policy class-default serverfarm FLB-Out policy-map multi-match FLB-MM-Policy class FLB-Out-VIP loadbalance vip inservice loadbalance policy FLB-Policy loadbalance vip icmp-reply class-map match-any FLB-Out-VIP 2 match virtual-address 30. 30. 0 255. 0 any 3 match virtual-address 31. 31. 0 255. 0 any 138
ACE 기반의 FWSM FLB Design ACE Outside Basic Config – L 3/L 4 Policy Map 구성 Class-map L 3/L 4 Policy map LB Policy map Interface ACL & Service Policy 적용 policy-map type loadbalance first-match FLB-Policy class-default serverfarm FLB-Out class-map match-any FLB-Out-VIP 2 match virtual-address 30. 30. 0 255. 0 any 3 match virtual-address 31. 31. 0 255. 0 any ACE Real. Server. Far m policy-map multi-match FLB-MM-Policy class FLB-Out-VIP loadbalance vip inservice loadbalance policy FLB-Policy loadbalance vip icmp-reply access-list anyone line 8 extended permit ip any 139
ACE 기반의 FWSM FLB Design ACE Outside Basic Config – L 3/L 4 Policy Map 구성 Class-map L 3/L 4 Policy map LB Policy map Interface ACL & Service Policy 적용 interface vlan 33 description =ACE-Out-Client= ip address 33. 33. 2 255. 0 alias 33. 33. 1 255. 0 peer ip address 33. 33. 3 255. 0 access-group input anyone access-group output anyone service-policy input mgmt service-policy input FLB-MM-Policy no shutdown ACE Real. Server. Far m interface vlan 32 description =ACE-Out-Server= ip address 32. 32. 2 255. 0 alias 32. 32. 1 255. 0 peer ip address 32. 32. 3 255. 0 mac-sticky enable access-group input anyone service-policy input mgmt ! ip route 0. 0 33. 33. 254 140
ACE 기반의 FWSM FLB Design ACE Outside Basic Config – Health Monitoring(Probe) #1 ACE Probe Real. Serve r Server. Far m probe icmp I-FLB-MSFC ip address 30. 30. 254 interval 2 faildetect 2 passdetect interval 2 passdetect count 5 receive 1 ACE MSFC HSRP serverfarm host FLB-Out transparent predictor hash address 255 probe I-FLB-MSFC rserver FW 253 inservice rserver FW 254 inservice 141
ACE 기반의 FWSM FLB Design ACE Outside Basic Config – Health Monitoring(Probe) #2 probe <probe-type> <probename> description < description > port <port-number> interval <sec> faildetect <retry-count> passdetect interval <sec> passdetect count <number> receive <receive-timeout> probe icmp I-FLB-MSFC description ICMP-Probe interval 2 faildetect 2 passdetect interval 2 passdetect count 5 receive 1 Tip !!! 1 Interval은 Probe를 주기적으로 Check 하는 시간을 의미한다. 예제의 경우에는 2초에 한번씩 Check. faildetect Count는 Probe Check 시 특 정 Count에 Fail이 Count 되면 Server, real Server를 Fail 로 간주하게 된다. 예제의 경우에는 2번의 Fail이 Count되 면, Fail로 처리하겠다는 의미 Receive ACE가 Probe 를 해당 Server에 보내고 기다리는 시간을 의미한다. 예제에서는 1초간 기다리겠다는 의미 이다. 구성 예제의 결과를 보면 결국 Fail 되는 총시간은 interval * faildetect * receive 가 된다. 따라서 위의 세개의 값을 세밀하게 계산하여, Fail Server를 선택하는 것이 매우 중요하다. 142
ACE 기반의 FWSM FLB Design ACE Outside Basic Config – Health Monitoring(Probe) #3 probe <probe-type> <probename> description < description > port <port-number> interval <sec> faildetect <retry-count> passdetect interval <sec> passdetect count <number> receive <receive-timeout> probe icmp I-FLB-MSFC description ICMP-Probe interval 2 faildetect 2 passdetect interval 2 passdetect count 5 receive 1 Tip !!! 2 passdetect interval Server 가 Fail 된 후 복구 되기 위해, 주 기적으로 다시 Probe를 보내는 주기를 의미한다. 예제에서는 2초에 한번씩 Probe를 보 내게 된다. Passdetect count Server 가 Fail 된 후 복구되기 위한 성 공적인 Probe Count를 의미한다. 예제에서는 5개의 성공 Probe 결과를 받았을 때 서비스를 재개 하겠다는 의 미 구성 예제의 결과를 보면 결국 Server가 Fail된 후 정상 복구 된다고 하더라도, intervla * count 가 되므로, 143
ACE 기반의 FWSM FLB Design ACE Outside Basic Config – Health Monitoring(Probe) 이해 FLB Probe Point 이해 Out HSRP VIP 1. 2. ACE FLB Outside ACE FLB Inside In HSRP VIP Out. Side ACE Probe Point는 Inside MSFC의 In HSRP VIP를 선언. Inside ACE Probe Point는 Outside MSFC의 Out HSRP VIP 선언. 3. 왜 Probe IP를 HSRP 포인트를 주 는가? 4. FWSM 또는 Firewall의 Inside or Out. Side만 장애가 발생할 경우 이 상 동작이 발생할 수 있다. 따라서, ACE가 FLB 처리하는 Flow가 완벽하게 동작되는 지 확 인이 가능한 Probe 첫 포인트가 되는 MSFC HSRP VIP를 Probe Point로 두는 것이 좋다. 5. 144
ACE 기반의 FWSM FLB Design ACE Outside Basic Config – Health Monitoring(Probe) 이해 == Fire. Wall의 Inside 또는 Outside만 장애가 발생할 경우 == switch/A-FLB-OUT# sh probe : I-FLB-MSFC type : ICMP, state : ACTIVE -----------------------port : 0 address : 30. 30. 254 addr type : TRANSPARENT interval : 2 pass intvl : 2 pass count : 5 fail count: 2 recv timeout: 1 ----------- probe results ----------probe association probed-address probes failed passed health ----------+----------+-----+------serverfarm : FLB-Out real : FW 253[0] 30. 30. 254 2520 1973 547 SUCCESS real : FW 254[0] 30. 30. 254 2585 2048 537 FAILED Probe Point가 HSRP VIP이므로 해당 경로가 되는 Real. Server의 장애를 곧바로 인지 하여, 더 이상 장애가 있는 FWSM 또는 방화벽 쪽으로 Packet을 보내지 않는다. 145
ACE 기반의 FWSM FLB Design ACE Outside Basic Config – Management Policy 구성 ACE Class-map L 3/L 4 Policy map Real. Server. Far m class-map type management match-any mgmt 2 match protocol icmp any 3 match protocol telnet any 4 match protocol ssh any policy-map type management first-match mgmt class c-mgmt permit interface vlan 32 description =ACE-Out-Server= service-policy input mgmt interface vlan 33 description =ACE-Out-Client= access-group input anyone service-policy input mgmt service-policy input FLB-MM-Policy Real. Server가 G. W로 icmp를 허용하기 위해 서, 허용한다. 146
ACE 기반의 FWSM FLB Design ACE Outside Monitoring – Real Server Monitoring == Real Server 접속 성공 == ACE/O-FLB# sh rserver : FW 253, type: HOST state : OPERATIONAL ---------------------connections-----real weight state current total ---+-----------+------------+-----------serverfarm: FLB-Out 32. 32. 253: 0 8 OPERATIONAL 1 4 rserver : FW 254, type: HOST state : OPERATIONAL ---------------------connections-----real weight state current total ---+-----------+------------+-----------serverfarm: FLB-Out 32. 32. 254: 0 8 OPERATIONAL 1 2 147
ACE 기반의 FWSM FLB Design ACE Inside Basic Config – Real. Server 구 성 ACE Real. Server rserver host FW 253 ip address 31. 31. 253 inservice rserver host FW 254 ip address 31. 31. 254 inservice 148
ACE 기반의 FWSM FLB Design ACE Inside Basic Config – Server. Farm 구 성 ACE Real. Server. Far m serverfarm host FLB-In transparent predictor hash address 255 rserver FW 253 inservice rserver FW 254 inservice NAT 처리가 필요없으므로… Hash 기반의 FLB 처리 149
ACE 기반의 FWSM FLB Design ACE Inside Basic Config – SLB Policy Map 구성 ACE Real. Server LB Policy map Real. Server. Far m policy-map type loadbalance first-match FLB-Policy class-default serverfarm FLB-In 150
ACE 기반의 FWSM FLB Design ACE Inside Basic Config – Server VIP 구 성 ACE Real. Server LB Policy map Class-map Real. Server. Far m policy-map type loadbalance first-match FLB-Policy class-default serverfarm FLB-In class-map match-any FLB-In-VIP 2 match virtual-address 0. 0 any FLB Inside 측 Subnet 선언 151
ACE 기반의 FWSM FLB Design ACE Inside Basic Config – L 3/L 4 Policy Map 구 성 ACE Real. Server LB Policy map L 3/L 4 Policy map Class-map Real. Server. Far m policy-map type loadbalance first-match FLB-Policy class-default serverfarm FLB-In policy-map multi-match FLB-MM-Policy class FLB-In-VIP loadbalance vip inservice loadbalance policy FLB-Policy loadbalance vip icmp-reply class-map match-any FLB-In-VIP 2 match virtual-address 0. 0 any 152
ACE 기반의 FWSM FLB Design ACE Inside Basic Config – L 3/L 4 Policy Map 구 성 ACE Real. Server. Far m LB Policy map L 3/L 4 Policy map Class-map Interface ACL & Service Policy 적용 policy-map type loadbalance first-match FLB-Policy class-default serverfarm FLB-In policy-map multi-match FLB-MM-Policy class FLB-In-VIP loadbalance vip inservice loadbalance policy FLB-Policy loadbalance vip icmp-reply class-map match-any FLB-In-VIP 2 match virtual-address 0. 0 any access-list anyone line 8 extended permit ip any 153
ACE 기반의 FWSM FLB Design ACE Inside Basic Config – L 3/L 4 Policy Map 구 성 Class-map L 3/L 4 Policy map LB Policy map Interface ACL & Service Policy 적용 interface vlan 30 description =ACE-In-Client= ip address 30. 30. 2 255. 0 alias 30. 30. 1 255. 0 peer ip address 30. 30. 3 255. 0 access-group input anyone access-group output anyone service-policy input FLB-MM-Policy service-policy input mgmt no shutdown ACE Real. Server. Far m interface vlan 31 description =ACE-In-Server= ip address 31. 31. 2 255. 0 alias 31. 31. 1 255. 0 peer ip address 31. 31. 3 255. 0 mac-sticky enable access-group input anyone service-policy input mgmt ! ip route 0. 0 30. 30. 254 154
ACE 기반의 FWSM FLB Design ACE Inside Basic Config – Health Monitoring(Probe) #1 ACE MSFC HSRP probe icmp O-FLB-MSFC ip address 33. 33. 254 interval 2 faildetect 2 passdetect interval 2 passdetect count 5 receive 1 Real. Serve r ACE Probe Real. Serve r Server. Far m serverfarm host FLB-In transparent predictor hash address 255 probe O-FLB-MSFC rserver FW 253 inservice rserver FW 254 inservice 155
ACE 기반의 FWSM FLB Design ACE Inside Basic Config – Health Monitoring(Probe) #2 probe <probe-type> <probename> description < description > port <port-number> interval <sec> faildetect <retry-count> passdetect interval <sec> passdetect count <number> receive <receive-timeout> probe icmp I-FLB-MSFC description ICMP-Probe interval 2 faildetect 2 passdetect interval 2 passdetect count 5 receive 1 Tip !!! 1 Interval은 Probe를 주기적으로 Check 하는 시간을 의미한다. 예제의 경우에는 2초에 한번씩 Check. faildetect Count는 Probe Check 시 특 정 Count에 Fail이 Count 되면 Server, real Server를 Fail 로 간주하게 된다. 예제의 경우에는 2번의 Fail이 Count되 면, Fail로 처리하겠다는 의미 Receive ACE가 Probe 를 해당 Server에 보내고 기다리는 시간을 의미한다. 예제에서는 1초간 기다리겠다는 의미 이다. 구성 예제의 결과를 보면 결국 Fail 되는 총시간은 interval * faildetect * receive 가 된다. 따라서 위의 세개의 값을 세밀하게 계산하여, Fail Server를 선택하는 것이 매우 중요하다. 156
ACE 기반의 FWSM FLB Design ACE Inside Basic Config – Health Monitoring(Probe) #3 probe <probe-type> <probename> description < description > port <port-number> interval <sec> faildetect <retry-count> passdetect interval <sec> passdetect count <number> receive <receive-timeout> probe icmp I-FLB-MSFC description ICMP-Probe interval 2 faildetect 2 passdetect interval 2 passdetect count 5 receive 1 Tip !!! 2 passdetect interval Server 가 Fail 된 후 복구 되기 위해, 주 기적으로 다시 Probe를 보내는 주기를 의미한다. 예제에서는 2초에 한번씩 Probe를 보 내게 된다. Passdetect count Server 가 Fail 된 후 복구되기 위한 성 공적인 Probe Count를 의미한다. 예제에서는 5개의 성공 Probe 결과를 받았을 때 서비스를 재개 하겠다는 의 미 구성 예제의 결과를 보면 결국 Server가 Fail된 후 정상 복구 된다고 하더라도, intervla * count 가 되므로, 157
ACE 기반의 FWSM FLB Design ACE Inside Basic Config – Management Policy 구성 ACE Real. Server L 3/L 4 Policy map Class-map Real. Server. Far m class-map type management match-any mgmt 2 match protocol telnet any 3 match protocol icmp any policy-map type management first-match mgmt class mgmt permit interface vlan 30 description =ACE-In-Client= service-policy input mgmt no shutdown interface vlan 31 description =ACE-In-Server= service-policy input mgmt no shutdown Real. Server가 G. W로 icmp를 허용하기 위해서, 허용한다. 158
ACE 기반의 FWSM FLB Design ACE Inside Monitoring – Real Server Monitoring == Real Server 접속 성공 == ACE/I-FLB# sh rserver : FW 253, type: HOST state : OPERATIONAL ---------------------connections-----real weight state current total ---+-----------+------------+-----------serverfarm: FLB-In 31. 31. 253: 0 8 OPERATIONAL 3 510 rserver : FW 254, type: HOST state : OPERATIONAL ---------------------connections-----real weight state current total ---+-----------+------------+-----------serverfarm: FLB-In 31. 31. 254: 0 8 OPERATIONAL 2 470 159
ACE 기반의 FWSM FLB Design Failover Scenario 1 172. 16. 2. 1 F 1/48, V 2 2. 25 4 172. 16. 1. 1 F 1/48, V 1 OSPF Area 0 4 172. 16. 3. 254/1 ACE FLB Outside 2 2 Trunk V 30 -34, 99 3 ACE FLB Inside 3 Server A 30. 30. 11 B RSTP 1 F 9/1 Session State 유지 Ping Losss 1개 이내. RSTP에 의해 msec 단위 Take Over ACE Primary(Inside or Outside) 장애 Session State 유지 Ping Losss 1개 이내. ACE FT 기법을 통한 msec 단 위 Take Over 구성 가능 2 F 9/1 Server Switch Primary Link 단 절 FWSM 장애 두개이상의 FWSM이 구동하 고 있으므로, 가동 중인 FWSM 쪽으로 우회 Server B 30. 30. 12 160
ACE 기반의 FWSM FLB Design Failover Scenario 4 172. 16. 2. 1 F 1/48, V 2 2. 25 4 172. 16. 1. 1 F 1/48, V 1 OSPF Area 0 4 172. 16. 3. 254/1 11. 11. 25 4 BVI 11. 11. 12 Clent: 11. 11. 1 Server 10. 10. 1 V 12 Trunk V 20, 21, 22, 99, 198, 199 3 V 11 2 V 10 F 9/1 Server A 10. 10. 11 VIP 11. 11. 11 RSTP V 10 1 F 9/1 Primary 6500 장애 또는 Router Uplink 단절 Session State 유지 또는 빠른 우회 경로 확보 Ping Losss 1개 이내. Fast OSPF 구현을 통한 빠른 우회경로 확보 OSPF Tuning ip ospf dead-interval minimal hello-multiplier 20 router os 1 timers throttle spf 300 10000 30000 timers throttle lsa all 2000 10000 Server B 10. 10. 12 161
163
Cisco ace module
Enfv
C device module module 1
Delayed differentiation and modular design
Cross connect data center
Autism curriculum encyclopedia
Data wise process
Dna center appliance
Cisco ccmp
Unified contact center management portal
Cisco academy support center
Cisco unity voicemail to email office 365
Cisco ip service level agreement
Cisco service level agreement
Cisco ip service level agreement
Cisco pss
Cisco discovery service
Cisco customer care solutions for contact centers
Example of loopback address
Customer service module
Expressway clustering
Cisco borderless switched network design
Training module design template
Module 7 research design and ethics in psychology
Line of reflection
Wwwin
Udise+ data entry module
Finding answer through data collection
Data management module
Shared service center outsourcing
Victim service center orlando
Nasa shared service center
Multimedia messaging service center
Mta business center
Trumbull educational service center
Shared service center
Mytimetable utwente
Skyward allen isd
Nasa shared service center
Consolidated service center
Deloitte shared services conference 2016
California service center laguna niguel
Fhws helpdesk
Eros call center
Haier service center township lahore
Trumbull county educational service center
Nasa shared service center
Averitt express canada
Itil service lifecycle model
Itil service lifecycle
Itil 7 step improvement process
Desired and adequate service
Soa architecture
Mpls class of service
New service development process cycle
Service owner vs service manager
Help desk improvement plan
Adp etime portal
Center pivot design
Austin center for design
Centre for excellence in universal design
Metropolitan design center
Center for civic design
Cadmim
Austin center for design
Wrist hyperextension taping
How to answer saq apush
Ace score of 5
Ace writing rubric
Ace score 4
Ace inhibitors in stemi
Saq ace method
Little rat rotten hut
How to ace an exit interview
Ace hardware swot analysis
Motorola ace 3600
Ache leans late
Intelligent web application firewall
Ace answer cite explain
Ace paragraph example
Ace inhibitors in stemi
Energy code ace
To be recognized as an “ace of aces” a cadet must
Ace business rules
Am i ace
I am ace
Ace score
Saq ace method
Ace different help iq tests but
Body fat categories
Ace ift model cardiorespiratory training
Function health fitness performance continuum
Ace ift model cardiorespiratory
Personal trainer insurance ace
Ace the question
Ace response examples
Bisoprold
Roanoke regional loan center
Usace ace-it help desk number
Ap world saq answer sheet
Kydneys
Ace institute of management
External factors affecting perception
Ace pyramid
Ace trade club
Gmod ace
Ace the ielts
Ace combat hash
Ace questions anesthesia
Ace scores
Ace rtsw
Answer cite explain
Ace saq
Ace the question
Shoulder push stabilization screen
Ace fem
Opnet ace
Ace market bursa
What is an aces paragraph
Ace postural assessment worksheet
Ace lesson plan template
The teap of ace
Ace cee
Ace study
Motorola ace 3600
Open basket weave ankle taping
Software for automated commercial environment
Ace saq
Allied healthcare continuum
Ace ift model
Ace ift model
Imiesłowy
Probability of picking an ace
Ttc ace
Cfx tutorial
Ace iowa
Imiesłów
Saq format
Ace saq
Ace inhibitörü ilaçlar
Proteins with catalytic power are called
Ace ceti
Cs-selfserve.exxonmobil.com
Ace format saq
Ace semarang
Personal trainers: session 2
Rossana papalino
Saq ap exam
Energy code ace
Ace disbursement
Riserva rivalutazione ace
Ace cargo release error codes
Ace analisi
Ace essentials of exercise science
Addis ace hardware
Ace health insurance
Ace online database
The listening gap
Service design process example
Blueprint for overnight hotel stay service
Standardized product design
Challenges of service innovation and design
Basically, product and service designing has
